Universite Paris XI 
Orsay, France 



Ph. D. Thesis 



Type Theory and Rewriting 



Frederic BLANQUI 



28 September 2001 



Committee: 

Mr Thierry COQUAND, referee 
Mr Gilles DOWEK, president of the jury 

Mr Herman GEUVERS, referee 
Mr Jean-Pierre JOUANNAUD, supervisor 
Mme Christine PAULIN 
Mr Miklos SANTHA 



The 19th of March 1998 was an important date for at least two reasons. The 
first one was personal. The second one was that Jean-Pierre Jouannaud agreed to 
supervise my master thesis on "extending the Calculus of Constructions with a new 
version of the General Schema" which he had roughed out with Mitsuhiro Okada. 
This did not mean much to me then. However, I was very happy with the idea of 
studying both A-calculus and rewriting, and their interaction. This work results of 
this enthusiasm. 

This is why I will begin by thanking Jean-Pierre Jouannaud, for the honor he 
made to me, the trust, the help, the advice and the support that he gave me during 
these three years. He taught me a lot and I will be always grateful to him. 

I also thank Mitsuhiro Okada for the discussions we had together and the support 
he gave me. It was a great honor to have the opportunity to work with him. I hope 
we will have other numerous fruitful collaborations. 

I also thank Maribel Fernandez who helped me at the beginning of my thesis by 
supervising my work with Jean-Pierre Jouannaud. 

I also thank Gilles Dowek who supported me in my work and helped me on 
several important occasions. His work was (and still is !) an important source of 
reflexion and inspiration. 

I also thank Daria Walukiewicz with whom I had many fruitful discussions. I 
thank her very much for having read in detail an important part of this thesis and 
for having helped me to correct errors and lack of precision. 

I also thank every person in the DEMONS team from the LRI and the Coq team 
(newly baptized LogiCal) from INRIA Rocquencourt, in particular Christine Paulin 
and Claude Marche who helped me several times. These two teams are a privileged 
research place and have a pleasant atmosphere. 

I also thank the referees of this thesis, Thierry Coquand and Herman Geuvers, 
for their interest in my work and the remarks they made for improving it. 

Finally, I thank the members of the jury and the president of the jury for the 
honor they made to me by accepting to consider my work. 



Contents 



1 Introduction 7 

1.1 Some history 7 

1.2 Motivations 17 

1.3 Previous works 20 

1.4 Contributions 22 

1.5 Outline of the thesis 23 

2 Preliminaries 25 

3 Type Systems Modulo (TSM's) 29 

3.1 Definition 30 

3.2 Properties 33 

3.3 TSM's stable by substitution 35 

3.4 Logical TSM's 37 

4 Reduction Type Systems (RTS's) 41 

4.1 Definition 41 

4.2 Logical and functional RTS's 43 

4.3 Logical and injective RTS's 45 

4.4 Confluent RTS's 48 

5 Algebraic Type Systems (ATS's) 51 

6 Conditions of Strong Normalization 57 

6.1 Term classes 57 

6.2 Inductive types and constructors 58 

6.3 General Schema 63 

6.3.1 Higher-order rewriting 63 

6.3.2 Definition of the schema 65 

6.4 Strong normalization conditions 71 

7 Examples of CAC's 77 

7.1 Calculus of Inductive Constructions (CIC) 77 

7.2 CIC + Rewriting 87 

7.3 Natural Deduction Modulo (NDM) 88 



5 



6 



8 Correctness of the conditions 91 

8.1 Terms to be interpreted 91 

8.2 Reductibility candidates 93 

8.3 Interpretation schema 97 

8.4 Interpretation of constant predicate symbols 102 

8.5 Reductibility ordering 109 

8.6 Interpretation of defined predicate symbols Ill 

8.6.1 Primitive systems 112 

8.6.2 Positive, small and simple systems 112 

8.6.3 Recursive, small and simple systems 112 

8.7 Correctness of the conditions 113 

9 Future directions of research 121 

Bibliography 123 



Chapter 1 

Introduction 



What is good programming? Apart from writing programs which are understandable 
and reusable by other people, above all it is being able to write programs without 
errors. But how do you know whether a program has no error? By proving it. In 
other words, to program well requires doing mathematics. 

But how do you know whether a proof that a program has no error itself has no 
error? By writing a proof which can be checked by a computer. In other words, to 
program well requires doing formal mathematics. 

This is the subject of our thesis : defining a formal system in which one can 
program and prove that a program is correct. 

However, it is not the case that work is duplicated : programming and proving. 
In fact, from a proof that a program specification is correct, one can extract an error- 
free program! This is due to the termination of "cut elimination" in intuitionist logic 
discovered by G. Gentzen in 1933 [57]. 

More precisely, we will consider a particular class of formal systems, the type 
systems. We will study their properties when they are extended with definitions by 
rewriting. Rewriting is a simple and general computation paradigm based on rules 
like x + — > x, that is, if one has an expression of the form x + 0, then one can 
simplify it to x. 

But for such a system to serve in proving the correctness of programs, one must 
make sure that the system itself is correct, that is, that one cannot prove something 
which is false. This is why we will give conditions on the rewriting rules and prove 
that these conditions indeed ensure the correctness of the system. 

First, let us see how type systems appeared, what results are already known and 
what our contributions are (they are summarized in Section 1.4). 

1.1 Some history 

This section is not intended to provide an absolutely rigorous historical summary. 
We only want to recall the basic concepts on which our work is based (type theory, 



7 



8 



CHAPTER 1. INTRODUCTION 



A-calculus, etc.) and show how our work takes place in the continuation of previous 
works aiming at introducing more programming into logic, or dually, more logic into 
programming. We will therefore take some freedom with the formalisms used. 

The reader familiar with these notions (in particular the Calculus of Construc- 
tions and the Calculus of Inductive Constructions) can directly go to Section 1.2 
where we present our motivations for adding rewriting in the Calculus of Construc- 
tions both at the object-level and at the predicate-level. 

Set theory 

One of the first formal system enabling one to describe all mathematics was the set 
theory of E. Zermelo (1908) later extended by A. Fraenkel (1922). It was followed by 
the type theory of A. Whitehead and B. Russell (1911) [120], also called higher-order 
logic . These two formal systems were introduced to avoid the inconsistency of the 
set theory of G. Cantor (1878). 

In first-order logic, in which the set theory of E. Zermelo and A. Fraenkel is 
generally expressed, the objects of the discourse are defined from constants and 
function symbols (0,+,...). Then, some predicate symbols (g, •••), the logical 
connectors (V, A, =>, . . .) and the universal and existential quantifiers (V, 3) enable 
one to express propositions in these objects. 

One of the axioms of G. Cantor's set theory is the Comprehension Axiom which 
says that every proposition defines a set : 

(3x)(Vy) y G x & P{y) 

From this axiom, one can express Russell's paradox (1902). By taking P(x) = 
x ^ x, one can define the set R of the x's which do not belong to themselves. Then, 
R G R 44> R $l R and one can deduce that any proposition is true. To avoid this 
problem, E. Zermelo proposed to restrict the Comprehension Axiom as follows : 

(Vz)(3x)(Vy) y£xOy£zA P(y) 

that is, one can define by comprehension only subsets of previously well-defined sets. 

Type theory 

In type theory, instead of restricting the Comprehension Axiom, the idea is to forbid 
expressions like x £ x or x G x by restricting the application of a predicate to an 
object. To this end, one associates to each function symbol and predicate symbol 
(except G) a type as follows : 

- to a constant, one associate the type i, 

- to a function symbol taking one argument, one associates the type i — > i, 

- to a function symbol taking two arguments, one associates the type i — > i — > l, 

- to a proposition, one associates the type o, 
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- to a predicate symbol taking one argument, one associates the type i — > o, 

- to a predicate symbol taking two arguments, one associates the type i — > i — ► o, 

Then, one can apply a function / taking n arguments to n objects t±, . . . ,t n if 
the type of / is t — t —> i and every tj is of type t. And one can say that n 
objects t\, . . . , t n satisfy a predicate symbol P taking n arguments if the type of P 
is l — > . . . — > t — > o and every ij is of type t. 

Finally, one considers that a set is not an object anymore (that is, an expression 
of type l) but a predicate (an expression of type i — > o). And, for representing x £ E, 
which means that x satisfies £7, one writes Ex (application of E to x). Hence, one 
can easily verify that it is not possible to express Russell's paradox : one cannot 
write xx for representing x € x since then x is both of the type l — > o and of the 
type i which is not allowed. In the following, we write t : r for saying that t is of 
type r. 

Now, to represent natural numbers, there are several possibilities. However it is 
always necessary to state an axiom of infinity for i and to be able to express the set 
of natural numbers as the smallest set containing zero and stable by incrementation. 
To this end, one must be able to quantify on sets, that is, on expressions of type 
l — > o. 

Now, one is not restricted to objects and predicate expressions as described 
before, but can consider all the expressions that can be formed by applications 
which respect types : 

- The set of the simple types is the smallest set T containing i, o and a — > r 
whenever a and r belong to T. 

- The set of terms of type r is the smallest set containing the constants of type r 
and the applications tu whenever t is a term of type a — > r and u a term of type 
a. 

Finally, one introduces an explicit notation for functions and sets, the X-abstrac- 
tion , and considers logical connectors and quantifiers as predicate symbols by giving 
them the following respective types : V : o — > o — > o, A : o — > o — > o, V r : (r — > o) — > 
o, . . . For example, if t denotes the set of natural numbers then one can represent the 
predicate "is even" (of type i — > 6) by the expression pair = Ax : t.3 t (Ay : l.x = 2 x y) 
that we will abbreviate by Ax : i3y : l.x = 2 x y. The language we obtain is called 
the simply-typed X-calculus A~\ 

But what can we say about (pair 2) and By : i.2 = 2 x y ? The second expression 
can be obtained from the first one by substituting x by 2 in the body of pair. This 
operation of substitution is called (3-reduction . More generally, Ax : r. t applied to 
u /3-reduces to t where x is substituted by u : Xx:r.t u -^p t{x i— > u}. 

It is quite natural to consider theses two expressions as denoting the same propo- 
sition. This is why one adds the following Conversion Axiom : 



P^Q if P Q 
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One then gets the type theory of A. Church (1940) [30]. 

In this theory, it is possible to quantify over all propositions : VP : o.P P. 
In other words, a proposition can be defined by quantifying over all propositions, 
including itself. If one allows such quantifications, the theory is said to be impred- 
icative , otherwise it said predicative . 

Mathematics as a programming language 

The /3-reduction corresponds to the evaluation process of a function. When one has 
a function / defined by an expression fix) and wants its value on 5 for example, 
one substitutes x by 5 in f(x) and simplify the expression until one gets the value 



One can wonder which functions are definable in Church's type theory. In fact, 
very few. With Peano's natural numbers {i.e. by taking : i for zero and s : t — > i for 
the successor function), one can express only constant functions or functions adding 
a constant to one of its arguments. With Church's numerals, where n is represented 
by Ax : t.Xf : i — > i.f . . . fx with n occurrences of /, H. Schwichtenberg [105] proved 
that one can express only extended polynomials (smallest set of functions closed 
under composition and containing the null function, the successor function, the 
projections, the addition, the multiplication and the test for zero). 

Of course, it is possible to prove the existence of numerous functions, that is, 
to prove a proposition of the form (\/x){3y) Pxy where P represents the graph of 
the function. In the intuitionist type theory for example {i.e. without using the 
Excluded-middle Axiom PV-P), it is possible to prove the existence of any primitive 
recursive function. But there is no term / : l — > i enabling us to compute the powers 
of 2 for example, that is, such that fn —*p . . . —*p 2 n . 

Representation of proofs 

G. Frege and D. Hilbert proposed to represent a proof of a proposition Q as a 
sequence P±, . . . ,P n of propositions such that P n = Q and, for every i, either Pj is 
an axiom, either P, is a consequence of the previous propositions by modus ponens 
(from P and P =4> Q one can deduce Q) or by generalization (from P{x) with x 
arbitrary one can deduce (Vx)P(x)). However, to do such proofs, it is necessary to 
consider many axioms, independent of any theory, which express the sense of logical 
connectors. 

Later, in 1933, G. Gentzen [57] proposed a new deduction system, called Natural 
Deduction, where logical axioms are replaced by introduction rules and elimination 
rules for the connectors and the quantifiers : 



of/(5). 



(axiom) 



r, p, r h p 
N r hpaq 



(A-intro) 



r h p r h Q 



(A-eliml) 



(A-elim2) 



T h P A Q 



r hpaq 



r h p 
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(=>-intro) 
(3-intro) 



r,Ph q 



rhP 
r h P(t) 



(=>-elim) 



r h (3x)P(x) 



(3-elim) 1 



rh(3x)p r,PhQ 



where T is a set of propositions (the hypothesis). A pair T \- Q made of a set of 
hypothesis F and a proposition Q is called a sequent . Then, a proof of a sequent 
r h Q is a tree whose root is T h Q, whose nodes are instances of the deduction 
rules and whose leaves are applications of the rule (axiom). 

Cut elimination 

G. Gentzen remarked that some proofs can be simplified. For example, this proof 
of Q : 

T,Ph Q 
(=>-intro) 

rhP^g thp 

(=>-elim) 

does a detour which can be eliminated. It suffices to replace in the proof of F, P h Q 
all the leaves (axiom) giving F,P,F' h P (r" are additional hypothesis that may 
be introduced for proving Q) by the proof of F h P where T is also replaced by 
r,r'. In fact, at every place where there is a cut, that is, an introduction rule 
followed by an elimination rule for the same connector, it is possible to simplify 
the proof. G. Gentzen proved the following remarkable fact : the cut-elimination 
process terminates. 

Hence, any provable proposition has a cut-free proof. But, in intuitionist logic, 
any cut-free proof of a proposition (zb)P(x) must terminate by an introduction rule 
whose premise is of the form P(t). Therefore, the cut-elimination process gives us a 
witness t of an existential proposition. In other words, any function whose existence 
is provable is computable. 

If one can express the proofs themselves as objects of the theory, then it becomes 
possible to express many more functions than those allowed in the simply-typed A- 
calculus. 



The isomorphism of Curry-de Bruijn-Howard 

In 1958, Curry [41] remarked that there is a correspondence between the types of 
the simply-typed A-calculus and the propositions formed from the implication 
(one can identify — ► and =>), and also between the terms of type r and the proofs 
of the proposition corresponding to r. In other words, the simply- typed A-calculus 
enables one to represent the proofs of the minimal propositional logic. To this end, 
one associates to each proposition P a variable xp of type P. Then, one defines the 
A-term associated to a proof by induction on the size of the proof : 



If x does not occur neither in F nor in Q. 
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- the proof of T h P obtained by (axiom) is associated to xp; 

- the proof of T h P Q obtained by (=>-intro) from a proof 7r of T, P h Q is 
associated to the term Xxp:P.t where t is the term associated to tt; 

- the proof of T h Q obtained by (=>-elim) from a proof 7r of T h P =>■ Q and a 
proof 7r' of T h P is associated to the term tu where t is the term associated to tt 
and u the term associated to tt'. 



The set of A-terms that we obtain can be directly defined as follows. We call an 
environment any set T of pairs x : P made of a variable x and a type P (representing 
a proposition). Then, a term i is of type P (a proof of P) in the environment V 
(under the hypothesis r) if T h i : T can be deduced by the following inference 
rules : 



(axiom) — — — 

v ' T,x:P,T> h x : P 

r,x:Pht:Q 

(=>-intro) 



T h Ax : P. i : P => Q 
T\-t:P=>Q rhti:P 



( ^- eUm) r h tu : Q 



In 1965, W. W. Tait [110] remarked that /^-reduction corresponds to cut-elimina- 
tion. Indeed, if one annotates the example of cut previously given then one gets : 

T,x:P h t : Q 

(=>-intro) 

Tr-Xx:P.t :P^Q V h u : P 

(=>-elim) 

Th Xx:P.tu:Q 

If one /3-reduces Ax : P. t u to i{x i— > u}, then one exactly obtains the term 
corresponding to the cut-free proof of T h Q. Hence, the existence of a cut-free 
proof corresponds to the weak normalization of /3-reduction, that is, the existence 
for any typable A-term t of a sequence of /3-reductions resulting in a /3-irreducible 
term (we also say in normal form). This is why normalization has such an important 
place in the study of type systems. 



In 1968, N. de Bruijn [42] proposed a system of dependent types extended the 
simply-typed A-calculus and in which it was possible to express the propositions 
and the proofs of intuitionist first-order logic. This system was the basis of one 
of the first programs for doing formal proofs : AUTOMATH. A dependent type is 
simply a function which associates a type expression to each object. It enables one 
to represent predicates and quantifiers. In 1969, W. A. Howard [69] considered a 
similar system but without considering it as a logical system in its own right. 
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In a dependent type system, the well-formedness of types depends on the well- 
formedness of terms. It is then necessary to consider environments with type vari- 
ables and to add typing rules for types and environments (the order of variables now 
matters) . Finally, it is necessary to add a conversion rule for identifying /3-equivalent 
propositions. One then gets a set of typing rules similar to the ones of Figure 1.1 

(this is a modern presentation which emerged at the end of the 80's only), 
centering 

Figure 1.1: Typing rules of AP 



(ax) 
(var) 
(weak) 
(prod-A^) 
(prod-AP) 
(abs) 
(app) 
(conv) 



h* : □ 

T h T : s E {*, □} 
T,x:T h x : T 

Tht:T ThU:s £{*,□} 
T,x:Uh t : T 

ThT:* r,x:T\-U:* 
r P {x:T)U : * 

r h T : ★ T,x:T\-U:B 
r h {x:T)U : □ 

F,x:Thu:U V h (x:T)U : s € {★, □} 
r h Ax:T.n : (x:T)C7 

rht:(x:?7)y rhti:[/ 
Thtu: V{x ^ u} 



r h t : T T ^* T r I- T' : ★ 

r h t : r 



In this system, * is the type of propositions and of the sets of the discourse 
(natural numbers, etc.), and □ is the type of predicate types (of which * is). For 
example, the set of natural numbers nat has the type *, the predicate even has 
the type (n : nat)* that we abbreviate by nat — > * since n does not occur in * 
(non-dependent product) and nat — > * has the type □. Starting from the rule 
(ax), the rules (var) and (weak) enables one to build environments. The rule (prod- 
A - ") enables one to build propositions and the rule (prod-AP) enables one to build 
predicate types. In the case of a proposition, if the product is not dependent (x does 
not occur in U) then it is an implication, otherwise it is a universal quantification. 
In other words, without the rule (prod-AP), we get the simply- typed A-calculus. 
The rule (abs) enables one to build a function (if s = *) or a predicate (if s = □). 
Finally, the rule (app) enables the application of a function or a predicate to an 
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argument. In other words, the rules (abs) and (app) generalize the rules (=>-intro) 
and (=>-elim) of the simply-typed A-calculus. 

From the point of view of programming, dependent types enables one to have 
more information about data and hence to reduce the risk of error. For example, 
one can define the type (list n) of lists of natural numbers of length n by declaring 
list : not — > *. Then, the empty list nil has the (list 0) and the function cons 
which adds a natural number x at the head of a list £ of length n has the type 
nat — > (n:nat)(list n) — > (list (s n)). One can then verify if a list does not exceed 
some given length. 



Inductive definitions 

In higher-order logic, the induction principle for natural numbers can be proved 
only if natural numbers are impredicatively defined. In other words, if one prefers 
to stay in a predicative framework, it is necessary to state the induction principle 
for natural numbers as an axiom. 

This is why, in 1971, P. Martin-L6f [84] extended the calculus of N. de Bruijn by 
including expressions for representing inductive types and their induction principles. 
For example, the type of natural numbers is represented by the symbol nat : *, zero 
by : nat, the successor function by s : nat — > nat and a proof by induction for a 
predicate P : nat — > o by rec p : P0 — > (Vn : nat.Pn — > Ps(n)) — > Vn : nat.Pn. In 
the conversion rule (conv), to the /3-reduction, P. Martin-L6f adds the L-reduction 
which corresponds to the elimination of induction cuts : 

r h t : T T f r h T' : * 

(conv) — — 

v ' r h t : T> 

In the case of nat, the rules defining the i-reduction are those of K. Godel's 
System T [65] : 

rec p (p ,Ps,0) -> t po 
rec p (p ,p s ,s(n)) -> t p s n rec p (p ,p s ,n) 

where j»o is a proof of PO and p s a proof of Vn:nat.Pn — > Ps(n). From these rules, 
by taking P = Xx:nat.nat, it is possible to define functions on natural numbers like 
the addition and the multiplication : 

x + y = rec p (y, \u.\v.s(v),x) 
xxy = rec p (0, Xu.Xv.v + y, x) 



To convince oneself, let / = Xu.Xv.s(v) and let us show that 2 + 2 rewrites to 4 : 
2 + 2 = rec(2,/,2) -f t /2 rec(2, /, 1) ^ s(rec(2, /, 1)) -f t s(/2 rec(2,/,0)) ^ 
a(s(rec(2,/,0))) s(s(2)) = 4. 

In fact, in this theory, it is possible to express by a term any function whose 
existence is provable in predicative intuitionist higher-order arithmetic (and these 
functions are also those that are expressible in K. Godel's System T). 
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Polymorphism 

The termination problem of cut-elimination in intuitionist impredicative higher- 
order arithmetic was solved by J.-Y. Girard [63] in 1971. To this end, he introduced 
a polymorphic type system Fu; (J. Reynolds [103] introduced independently a similar 
system for second-order quantifications only). A polymorphic type is a function 
which, to a type expression, associates a type expression. And for representing 
the proofs of impredicative propositions, one also needs the terms themselves to 
be polymorphic, that is, it must be possible for a term to be applied to a type 
expression. Formally, for second-order quantifications (i.e. on propositions), this 
requires the replacement of the rule (prod-AP) in Figure 1.1 by the rule : 

ThT:a F,x:T\-U:* 
(pr ° d - F) T\-(x:T)U:* 

which for example allows one to build the type (P : *)P — > P corresponding to the 
proposition VP : o.P =^ P in higher-order logic. For higher-order quantifications, 
one must add the following rule : 

ThT:a T,x:ThU:a 
(pr ° d - Ftj) T\-(x:T)U:U 

which allows the formation of predicate types like for example * — ► * which corre- 
sponds to o => o in higher-order logic. 

In this system, it is then possible to express any function whose existence is 
provable in impredicative intuitionist higher-order arithmetic. 

From the point of view of programming, polymorphism enables one to formalize 
generic algorithms with respect to data types. For example, one can speak of the 
type (list A) of lists of elements of type A, for any type A, by declaring list 

In 1984, T. Coquand and G. Huet [37] defined a system, the Calculus of Con- 
structions (CC), which makes the synthesis of the systems of N. de Bruijn and J.-Y. 
Girard (it contains all the product-formation rules we have seen) and in which it is 
then possible to express all the higher-order logic (but it does not allow to express 
more functions than Fuj). This system served as a basis for the proof assistant Coq 
[112]. 

Pure Types Systems (PTS) 

At the end of the 80's, H. Barendregt [9] remarked that many type systems (A - *, AP, 
F, Fuj, CC, etc.) can be characterized by their product-formation rules. This led to 
the presentation we adopted here. By considering the following general typing rule 
parametrized by two sorts s±,S2 G {*, □} : 

rhT:si F,x:ThU:s 2 

(si, s 2 ) ^— 7 — ^T77 

r h (x:T)U : S2 
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it is possible to have 4 different rules ((*,*) corresponds to (prod- A - *), (*, □) to 
(prod-AP), (□,*) to (prod-F), and (□, □) to (prod-Fw)) and hence to have, from 
(*, *), 8 different systems that one can organize in a cube whose directions correspond 
to the presence or the absence of dependent types (rule (★,□)), polymorphic types 
(rule (□,*)) or type constructors (rule (□, □)) (see Figure 1.2). 

Figure 1.2: Barendregt's Cube 

Foj CC 



□ polymorphic types 



(□,□) type c 



jnstructo: 



A^ 

(★, *) simple types 



LF, AP 

(★, □) dependent types 



- A^ denotes the simply-typed A-calculus of A. Church [30], 

- LF (Logical Framework) denotes the system of R. Harper, F. Honsell and G. 
Plotkin [68], 

- AP denote the AUTOMATH system of N. de Bruijn [42], 

- F and Foj respectively denote the second-order and higher-order polymorphic A- 
calculus of J.-Y. Girard [64], 

- CC denotes the Calculus of Constructions of T. Coquand and G. Huet [38]. 



This led S. Berardi [19] and J. Terlouw [113] to a more systematic study of 
type systems with respect to expressible types until the definition by H. Geuvers 
and M.-J. Nederhof of the Pure Type Systems (PTS) [59] which are type systems 
parametrized by : 

- a set of sorts S representing the different universes of discourse ({★, □} in the 
Cube), 

- a set of axioms A Q S 2 representing how these universes are included in one 
another ({(*, □)} in the Cube) and the rule : 

(ax) {( Sl ,s 2 )eA) 

\-si:s 2 

- a set of product-formation rules B C 5 3 representing the possible quantifications 
({(*,*,*), (*, □, □), (□,*,*), (□, □, □)} in the Cube) and the rule : 



1.2. MOTIVATIONS 



17 



1 h 1 : si 1 ,x: 1 h (7 : s 2 
(prod) Th{x:T)U:S3 ((*i,-2,-s)eB) 

Calculus of Inductive Constructions (CIC) 

We have seen that the Calculus of Constructions is a very powerful system in which it 
is possible to express many functions. However, these functions cannot be defined as 
one would like. For example, it does not seem possible to program the predecessor 
function on natural numbers such that its evaluation takes a constant time [64]. 
This is not the case in P. Martin-Lof's system where natural numbers and their 
induction principle are first-class objects while, in the Calculus of Constructions, 
natural numbers are impredicatively defined. 

This is why, in 1988, T. Coquand and C. Paulin proposed the Calculus of In- 
ductive Constructions (CIC) [39] which makes the synthesis between the Calculus 
of Constructions and P. Martin-Lof's type theory, and hence enable one to write 
more efficient programs. In 1994, B. Werner [119] proved the termination of cut- 
elimination in this system. (In 1993, T. Altenkirch [2] proved also this property but 
for a presentation of the calculus with equality judgments.) 

But, even in this system, some algorithms may be inexpressible. L. Colson [32] 
proved for example that, if one uses a call- by- value evaluation strategy (reduction 
of the arguments first) then the minimum function of two natural numbers cannot 
be implemented by a program whose evaluation time is relative to the minimum of 
the two arguments. 



1.2 Motivations 



We said at the beginning that rewriting is a simple and general computation para- 
digm based on rewrite rules. This notion is of course very old but it was seriously 
studied from the 70's with the works of D. Knuth and D. Bendix [18]. They studied 
rewriting for knowing whether, in a given equational theory, an equation is valid or 
not. Then, rewriting was quickly used as a programming paradigm [96, 67, 55, 71, 31] 
since any computable function can be defined by rewrite rules (Turing-completeness). 

Let us see the case of addition and multiplication on natural numbers defined 
from for zero and s for the successor function : 



+ x 
s(x) + y 

x x 
s(x) x y 



x 

s(x + y) 


(x xy) +y 



These rules completely define these two arithmetic operations : starting from 
two arbitrary natural numbers p and q (expressed with and s), p + q and p x q 
rewrite in a finite number of steps to a term which cannot be further rewritten, that 
is, to a number representing the value of p + q and p x q respectively. 
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Higher-order rewriting 

We can also imagine definitions using functional parameters or abstractions : this 
is higher-order rewriting as opposed to first-order rewriting which does not allow 
functional parameters or abstractions. For example, the function map which to a 
function / and a list of natural numbers (a±, . . . ,a n ) associates the list (f(a±), . . ., 
f{a n )), can be defined by the following rules : 

map(f, nil) — > nil 
map(f,cons(x,£)) — > cons(fx,map(f,£)) 

where nil stand for the empty list and cons for the function which adds an element 
at the head of a list. 

Hence, the rules defining the recursor of an inductive type (the /--reduction) are 
a particular case of higher-order rewriting. 

Easier definitions 

One can see that definitions by rewriting are more natural and easier to write 
than the ones based on recursors like in P. Martin-L6f type theory or in the Calculus 
of Inductive Constructions. For example, the definition by recursion of the function 
< on natural numbers requires two levels of recursion : 

Xx.rec(x, Xy.true, Xnzy.rec{y, false, Xn'z'.zn', y)) 

while the definition by rewriting is : 

< y — > true 
s(x) < — > false 
s{x) < s(y) — > x < y 

More efficient definitions 

From a computing point of view, definitions by rewriting can be made more 
efficient by adding rules. For example, with a definition by recursion on its first 
argument, n + requires n + 1 reduction steps. By simply adding the rule x + — > x, 
this takes only one step. 

However, it can become more difficult to ensure that, for any sequence of argu- 
ments, the definition always leads, in a finite number of steps (property caWedstrong 
normalization), to a unique result (property called confluence) that we call the 
normal form of the starting expression. 

Quotient types 

Until now we have always spoken of natural numbers but never of integers. 
Yet they have an important place in mathematics. One way to represent integers 
is to add a predecessor function p beside and s. Hence, p(p(0)) represents —2. 
Unfortunately, in this case, an integer can have several representations : p(s(0)) 
or s(p(0)) represent both 0. In fact, integers are equivalent modulo the equations 
p(s(x)) = x and s(p(x)) = x. 
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However, it is possible to orient these equations so as to have a confluent and 
strongly normalizing rewrite system : p(s(x)) — > x and s(p(x)) — > x. Then, each 
integer has a unique normal form. Therefore, we see that rewriting enables us to 
models quotient types without using further extensions [14]. 

More typable terms 

The introduction of rewriting in a dependent type system allows one to type 
more terms and therefore to formalize more propositions. Let us consider, in the 
Calculus of Inductive Constructions, the type listn : nat — ► * of lists of natural 
numbers of length n with the constructors niln : listn(0) for the empty list and 
consn : nat — > (n : nat)listn(n) — > listn(s(n)) for adding an element at the head 
of a list. Let appn : (n : nat)listn(n) — > (n' : nat)listn(n') — > listn(n + n') be the 
concatenation function. Like +, appn can be defined by using the recursor associated 
to the type iistn. Assume furthermore that + and appn are defined by induction 
on their first argument. Then, the following propositions are not typable : 

appn(n,£,0,£') = £ 
appn(n + n', appn(n, £, n', £'),n", £") = appn(n, £, n' + n", appn(n', £' , n", £")) 

In the first rule, the left hand-side is of type listn(n + 0) and the right hand-side 
is of type listn(n). We can prove that (n : nat)n + = n by induction on n but 
n + is not /^-convertible to n since + is defined by induction on its first argument. 
Therefore, we cannot apply the (conv) rule for typing the equality. 

In the second rule, the left hand-side is of type listn{(n + n') + n") and the 
right hand-side is of type listn(n + (n! + n")). Again, although we can prove that 
(n+n')+n" = n+ (n'+n") (associativity of +), the two terms are not /^-convertible. 
Therefore, we cannot apply the (conv) rule for typing the equality. 

This shows some limitation of the definitions by recursion. The use of rewriting, 
that is, the replacement in the (conv) rule of the /--reduction by a reduction relation 
— >tj. generated from a user-defined set TZ of arbitrary rewrite rules : 

r h t : T T T r h V : ★ 

(conv) 



r h t : T< 

allows us to type the previous propositions which are not typable in the Calculus of 
Inductive Constructions. 



Automatic equational proofs 

Another motivation for introducing rewriting in type systems is that it makes 
equational proofs much easier, which is the reason why rewriting was studied initially. 
Indeed, in the case of a confluent and strongly normalizing rewrite system, to check 
whether two terms are equal, it suffices to check whether they have the same normal 
form. 

Moreover, it is not necessary to keep a trace of the rewriting steps since this 
computation can be done again (if the equality is decidable). This reduces the size 
of proof-terms and enable us to deal with bigger proofs, which is a critical problem 
now in proof assistants. 
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Integration of decision procedures 

One can also imagine denning predicates by rewriting or having simplification 
rules on propositions, hence generalizing the definitions by strong elimination of 
the Calculus of Inductive Constructions [99]. For example, one can consider the set 
of rules of Figure 1.3 [70] where xor (exclusive "or") and A are commutative and 
associative symbols, _L represents the proposition always false and T the proposition 
always true (by taking a constant I of type T). 

Figure 1.3: Decision procedure for classical propositional tautologies 

Pxor_L -> P 

PxotP -f _L ^ P _^ PxorT 

p A T ^ p PVQ -> (P AQ)xorPxor<5 

PA_L -> _L P^Q -> (P AQ)xorPxorT 

p /\P -> P P^Q -> (PxorQ)xorT 

PA(QxorP) -» (P A Q) xor (P A P) 



J. Hsiang [70] showed that this system is confluent and strongly normalizing and 
that a proposition P is a tautology (i.e. is always true) if P reduces to T. This 
system is therefore a decision procedure for classical propositional tautologies. 

Hence, type-level rewriting allows the integration of decision procedures. Indeed, 
thanks to the conversion rule (conv), if P is a tautology then /, the canonical proof 
of T, is a proof of P. In other words, if the typing relation is decidable, to know 
whether a proposition P is a tautology, it is sufficient to propose I to the verification 
program. 

We can also imagine simplification rules for equality like the ones of Figure 1.4 
where + and x are associative and commutative, and = is commutative. 

Figure 1.4: Simplification rules for equality 



x + -> 




x = x — > 


T 






x + s(y) -> 


s(x + y) 


s(x) = s(y) -> 


x = 


y 




x x — > 





s(x) = -» 


1 






x x s(y) — > 


(x x y) + x 


x + y = — > 


X = 


Ay 


= 


X (y + z) -» 


(x x j/) + (x x z) 


x x jy = — > 


X = 


Vy 


= 



1.3 Previous works 

The first works on the combination of typed A-calculus and (first-order) rewriting 
were due to V. Breazu-Tannen in 1988 [25]. They showed that the combination 
of simply-typed A-calculus and first-order rewriting is confluent if the rewriting is 
confluent. In 1989, V. Breazu-Tannen and J. Gallier [26], and M. Okada [97] in- 
dependently, showed that the strong normalization is also preserved. These results 
were extended by D. Dougherty [47] to any "stable" set of pure A-terms. 
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In 1991, J.-P. Jouannaud and M. Okada [74] extended the result of V. Breazu- 
Tannen and J. Gallier to higher-order rewrite systems satisfying the General Sche- 
ma , a generalization of the primitive recursion schema. With higher-order rewriting, 
strong normalization becomes more difficult to prove since there is a strong inter- 
action between rewriting and /3-reduction, which is not the case with first-order 
rewriting. 

In 1993, M. Fernandez [54] extended this method to the Calculus of Constructions 
with object level rewriting and simply typed symbols. The methods used for first- 
order rewriting and non dependent systems [26, 47] cannot be applied to this case 
since rewriting is not just a syntactic addition : since rewriting is included in the 
type conversion rule (conv), it is a component of typing (in particular, it allows more 
terms to be typed). 

Other methods for proving strong normalization appeared. In 1996, J. van de Pol 
[116] extended to the simply- typed A-calculus the use of monotone interpretations. 
In 1999, J.-P. Jouannaud and A. Rubio [76] extended to the simply-typed A-calculus 
the method RPO (Recursive Path Ordering) [100, 44]. This method (HORPO) is 
more powerful than the General Schema since it is a recursively defined ordering. 

In all these works, even the ones on the Calculus of Constructions, function 
symbols are always simply typed. It was T. Coquand [34] in 1992 who initiated the 
study of rewriting on dependent and polymorphic symbols. He studied the complete- 
ness of definitions on dependent types. For the strong normalization, he proposed 
a schema more general than the schema of J.-P. Jouannaud and M. Okada since it 
allows recursive definitions on strictly positive types [39] but it does not necessary 
imply strong normalization. In 1996, E. Gimenez [62] defined a restriction of this 
schema for which he proved strong normalization. In 1999, J.-P. Jouannaud, M. 
Okada and I [23, 22] extended the General Schema, keeping simply typed symbols, 
in order to deal with strictly positive types. Finally, in 2000, D. Walukiewicz [118] 
extended J.-P. Jouannaud and A. Rubio's HORPO to the Calculus of Constructions 
with dependent and polymorphic symbols. 

But there still is a common point between all these works : rewriting is always 
confined to the object level. 

In 1998, G. Dowek, T. Hardin and C. Kirchner [50] proposed a new approach to 
deduction for first-order logic : the Natural Deduction Modulo (NDM) a congruence 
= on propositions. This deduction system consists of replacing the rules of usual 
Natural Deduction by rules equivalent modulo =. For example, the elimination rule 
for =4* (modus ponens )is replaced by : 



They proved that the simple theory of types and the skolemized set theory can 
be seen as first-order theory modulo some congruences using explicit substitutions . 
In [51], G. Dowek and B. Werner gave several conditions ensuring the strong nor- 
malization of cut elimination. 



(=>-elim- modulo) 



r h r r h p 



if R = P A Q 
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1.4 Contributions 

Our main contribution was establishing very general conditions for ensuring the 
strong normalization of the Calculus of Constructions extended with type level 
rewriting [20]. We showed that our conditions are satisfied by a large subsystem 
of the Calculus of Inductive Constructions (CIC) and by Natural Deduction Modulo 
(NDM) a large class of equational theories. 

Our work can be seen as an extension of both the Natural Deduction Modulo and 
the Calculus of Constructions, where the congruence not only includes first-order 
rewriting but also higher-order rewriting since, in the Calculus of Constructions, 
functions and predicates can be applied to functions and predicates. 

It can therefore serve as the basis of a powerful extension of proof assistants like 
Coq [112] and LEGO [82] which allow definitions by recursion only. Indeed, strong 
normalization not only ensures the logical consistency (if the symbols are consistent) 
but also the decidability of type checking, that is, the verification that a term is the 
proof of a proposition. 

For deciding particular classes of problems, it may be more efficient to use spe- 
cialized rewriting-based applications like CiME [33], ELAN [24] or Maude [31]. Fur- 
thermore, for program extraction [98], we can use rewriting-based languages and 
hence get more efficient extracted programs. 

To consider type-level rewriting is not completely new : a particular case is the 
"strong elimination" of the Calculus of Inductive Constructions, that is, the ability 
to define predicates by induction on some inductive data type. The main novelty 
here is to consider any set of user-defined rewrite rules. 

The strong normalization proofs with strong elimination of B. Werner [119] and 
T. Altenkirch [2] use in an essential way the fact that the definitions are inductive. 

Moreover, the methods used in case of first-order rewriting [26, 4, 47] cannot 
be applied here. Firstly, we consider higher-order rewriting which has a strong 
interaction with /3-reduction. Secondly, rewriting is part of the type conversion rule, 
which implies that more terms are typable. 

For establishing our conditions and proving their correctness, we have adapted 
the method of reductibility candidates of Tait and Girard [64] also used by F. Bar- 
banera, M. Fernandez and H. Geuvers [7, 6, 5] for object-level rewriting and by B. 
Werner and T. Altenkirch for strong elimination. As candidates, they all use sets 
of pure (untyped) A-terms and, except T. Altenkirch, they all use intermediate lan- 
guages of type systems. By using a work by T. Coquand and J. Gallier [36], we use 
candidates made of well-typed terms and do not use intermediate languages. We 
therefore get a simpler and shorter proof for a more general result. 

We also mention other contributions. 

For allowing quotient types (rules on constructors) and matching on function 
symbols, which is not possible in the Calculus of Inductive Constructions, we use a 
notion of "constructor" more general than the usual one (see Subsection 6.2). 

For ensuring the subject reduction property, that is, the preservation of typing 
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under reduction, we introduce new conditions more general than the ones previously- 
used. In particular, these conditions allow us to get rid of many non-linearities due 
to typing, which makes rewriting more efficient and confluence easier to prove. 

1.5 Outline of the thesis 

Chapter 3 : We study the basic properties of Pure Type Systems whose type 
conversion relation is abstract. We call such a system a Type System Modulo (TSM). 

Chapter 4 : We study the properties of a particular class of TSM's, those whose 
conversion relation is generated from a reduction relation. We call such a system a 
Reduction Type System (RTS). An essential problem in these systems is to make 
sure that the reduction relation preserves typing (subject reduction property). 

Chapter 5 : We give sufficient conditions for ensuring the subject reduction 
property in RTS's whose reduction relation is generated from rewrite rules. We call 
such a system an Algebraic Type System (ATS). 

Chapter 6 : In this chapter and the following ones, we consider a particular 
ATS, the Calculus of Algebraic Constructions (CAC). We give sufficient conditions 
for ensuring its strong normalization. 

Chapter 7 : We give important examples of type systems satisfying our strong 
normalization conditions. Among these systems, we find a sub-system with strong 
elimination of the Calculus of Inductive Constructions (CIC) which is the basis of 
the proof assistant Coq [112]. We also find Natural Deduction Modulo (NDM) a 
large class of equational theories. 

Chapter 8 : We prove the correctness of our strong normalization conditions 
and clearly indicate which conditions are used. An index enables one to find where 
each conditions is used. 

Chapter 9 : We finish by enumerating several directions for future research 
which could improve or extend our strong normalization conditions. 
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Chapter 2 

Preliminaries 



In this chapter, we define the syntax of the systems we will study and recall a few 
elementary notions about A-calculus, Pure Type Systems (PTS) (see [10] for more 
details) and relations. This syntax simply extends the syntax of PTS's by adding 
symbols (nat, 0, +, >, ...) which must be applied to as many arguments as are 
required by their specified arity (see Remark 10 for a discussion about this notion). 

Definition 1 (Sorted A-systems) A sorted X-system is given by : 

- a set of sorts S, 

- a family T = (^)~>o of sets of symbols , 

- a family X = (X s ) seS of infinite denumerable sets of variables, 

such that all sets are disjoint. A symbol / £ is of arity aj = n and of sort s. 
We will denote the set of symbols of sort s by T s and the set of symbols of arity n 
by T n . 

Definition 2 (Terms) The set T of terms is the smallest set such that : 

- sorts and variables are terms; 

- if x is a variable and t and u are terms then the dependent product (x :t)u and 
the abstraction [x:t]u are terms; 

- if t and u are terms then the application tu is a term; 

- if / is a symbol of arity n and t±, . . . ,t n are terms then f(t±, . . . ,t n ) is a term 
(some binary symbols like +, x, . . .will sometimes be written infix). 

Free and bound variables 

A variable x in the scope of an abstraction [x :T] or a product (x : T) is bound . 
As usual, it may be replaced by another variable of the same sort. This is a- 
equivalence . A variable which is not bound is free. We denote by FV(t) the set of 
free variables of a term t and by FV s (t) the set of free variables of sort s. A term 
without free variables is closed. We often denote by U ->l^a product (x:U)V such 
that x £ FV(V) (non dependent product). 
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Vectors 

We will often use vectors (t,u,...) for sequences of terms (or anything else). 
The size of a vector t is denoted by \t\. For example, [x : T]u denotes the term 
[xi :Ti] . . . [x n :T n ]u where n = \x\. 

Definition 3 (Positions) To designate a subterm of a term, we use a system of 
positions. Formally, the set Pos(t) of the positions in a term t is the smallest set of 
words over the alphabet of positive integers such that : 

- Pos(s) = Pos(x) = {e}, 

- Pos((x :t)u) = Pos([x:t]u) = Pos(iu) = 1 • Pos(t) U 2 • Pos(n), 

- Pos(/(t)) = {e} U U {i ■ Pos(ti) | 1 < i < a f }, 

where e denotes the empty word and • the concatenation. We denote by t\ p the 
subterm of t at the position p and by t[u] p the term obtained by replacing t\ p by u 
in t. The relation "is subterm of" is denoted by <d. 

Let t be a term and / be a symbol. We denote by Pos(/, t) the set of the positions 
p in t where t\ p is of the form f(t). If x is a variable, we denote by Pos(x, t) the set 
of the positions p in t such that t\ p is a free occurrence of x. 

Definition 4 (Substitution) A substitution 9 is an application from X to T whose 
domain dom(#) = {x G X \ x6 ^ x} is finite. Applying a substitution 6 to a term t 
consists of replacing all the free variables of t by their image in 9 (to avoid variable 
captures, bound variables must be distinct from free variables). The result is denoted 
by t6. We let dom s (#) = &om(6)(^X s . We denote by {x i— > t\ the substitution which 
associates U to X\ and by 9 U {x i-> t} the substitution which associates i to x and 
y9 to y ^ x. 

Relations 

We now recall a few elementary definitions on relations. Let — > be a relation on 
terms. 

- «— is the inverse of — >. 

> + is the smallest transitive relation containing — >. 

>* is the smallest reflexive and transitive relation containing — 

- ^* is the smallest reflexive, transitive and symmetric relation containing — 

- | is the relation —>* *^ [t [ u if there exists w such that t ^* v and u v). 

If t — > t', we say that i rewrites to t'. If t ^* t', we say that i reduces to i'. 

The relation — ► is stable by context if n — > n' implies — > t[u'] p for all term i 
and position p G Pos(t). 

The relation — > is sta6/e 6y substitution if t — s- t' implies t0 — > for all substi- 
tution 0. 

The (3-reduction (resp. n-reduction) relation is the smallest relation stable by 
context and substitution containing [x : U]t u t{x t— > u} (resp. [x : C/]tx t 
if x ^ FV(t)). A term of the form [x : U]t u (resp. [x : U]tx with x ^ FV(t)) is a 
(3-redex (resp. n-redex). 
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Normalization 

The relation — ► is weakly normalizing if, for all term t, there exists an irreducible 
term t' to which t reduces. We say that t' is a normal form of t. The relation — > 
is strongly normalizing (well-founded, noetherian) if, for all term t, any reduction 
sequence issued from t is finite. 

Confluence 

The relation — > is locally confluent if, whenever a term i rewrites to two distinct 
terms u and v, then u J, w. The relation — ► is confluent if, whenever a term i reduces 
to two distinct terms u and v, then u|«. 

If — > is locally confluent and strongly normalizing then — > is confluent [94] . If — > 
is confluent and weakly normalizing then every term t has a normal form denoted 

by U- 

Lexicographic and multiset orderings 

Let >!,...,>„ be orderings on Ei,...,E n respectively. We denote by (>i 
, . . . , > n )i ex the lexicographic ordering on E\ x . . . x E n from >i, . . . , > n . For exam- 
ple, for n = 2, (x,y)(>i, >i)\ e *{x' ,y') if x >i x' or, x =i x' and j/ > 2 y'. 

Let E be a set. A multiset M on is a function from 2£ to N (M(x) denotes the 
number of occurrences of x in M). We denote by Ai(E) the set of finite multisets on 
E. Let > be an ordering on E, the multiset extension of > is the ordering > mu i on 
M(E) defined as follows : M > mu i N if there exists P, Q G X(-E) such that P / 0, 
P C M, iV = (M \ P) U Q and, for all y G Q, there exists x G P such that x > y. 

An important property of these extensions is that they preserve the well-founded- 
ness. For more details on these notions, one can consult [3]. 
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Chapter 3 

Type Systems Modulo (TSM's) 



In this chapter, we consider an extension of PTS's with function and predicate sym- 
bols and a conversion rule (conv) where is replaced by an arbitrary conversion 
relation C. 

There has already been different extension of PTS's, in particular : 

- In 1989, Z. Luo [81] studied an extension of the Calculus of Constructions with 
a cumulative hierarchy of sorts (* -< □ = O -< □ 1 -< ...), the Extended Calculus 
of Constructions (ECC) : C is the smallest quasi-ordering including «-»^, -< and 
which is compatible with the product structure (W C U and V C V implies 
(x:U)V C (x:U')V). 

- In 1993, H. Geuvers [58] studied the PTS's with ^-reduction : C =4r ^*p r) - 

- In 1993, M. Fernandez [54] studied an extension of the Calculus of Constructions 
with higher-order rewriting a la Jouannaud-Okada [74], the Ai?-cube : C = —>pn 

- In 1994, E. Poll and P. Severi [101] studied the PTS's with abbreviations (let x= 
... in . . . ) : C = <-^*p U where —>s is the replacement of an abbreviation 
by its definition. 

- In 1994, B. Werner [119] studied an extension of the Calculus of Constructions 
with inductive types, the Calculus of Inductive Constructions (CIC), introduced 
by T. Coquand and C. Paulin in 1988 [39] : C = ^*p, qi where — > L is the reduction 
relation associated with the elimination schemas of inductive types. 

- Between 1995 and 1998, G. Barthe and his co-authors [15, 16, 17, 13] considered 
different extensions of the Calculus of Constructions or of the PTS's with con- 
version relations more or less abstract, often based on rewriting a la Jouannaud- 
Okada [74], hence extending the work of M. Fernandez [54]. 

In all this work, basic properties well known in the case of PTS's must be proved 
again since new constructions or a new conversion rule C is introduced. This is why 
it appears useful for us to study the properties of PTS's equipped with an abstract 
conversion relation C. 

Such a need is not new since it has already been undertaken in formal develop- 



29 



30 



CHAPTER 3. TYPE SYSTEMS MODULO 



ments : 

- In 1994, R. Pollack [102] formally proved in LEGO [82], an implementation of 
ECC with inductive types, that type checking in ECC (without inductive types) 
is decidable (by assuming of course that the calculus is strongly normalizing). 
Type checking is saying if, in some environment T, a term t is of type T (i.e. is 
a proof of T). To this end, he showed many properties of PTS's in the case of 
a conversion relation C = < reflexive, transitive and stable by substitution and 
context. 

- In 1999, B. Barras [11] formally proved in Coq [12], another implementation of 
ECC with inductive types, that type checking of Coq (so, with inductive types) is 
decidable (again of course by assuming that the calculus is strongly normalizing). 
To this end, he also showed some properties of PTS's in the case of a conversion 
relation C = < also reflexive, transitive and stable by substitution and context. 
In fact, he considered an extension of PTS's with a schema of typing rules for 
introducing new constructions in a generic way (abbreviations, inductive types, 
elimination schemas). 

Hence, on the one hand, we make fewer assumptions on the conversion relation 
C than R. Pollack or B. Barras. This is justified by the fact that, in the work of M. 
Fernandez [54] for example, to prove that reduction preserves typing, they use the 
fact that the conversion relation is not transitive. On the other hand, our typing 
rule for function symbols is not as general as the one of B. Barras. 

3.1 Definition 

Definition 5 (Environment) An environment T is a list of pairs Xi : Tj made of 
a variable x\ and a term Tj. We denote by the empty environment, by £ the 
set of environments and by xiT the term Tj associated to X{ in T. The set of free 
variables of an environment T is FV(r) = (J{FV(xr) | x £ dom(r)}. The domain 
of an environment T is the set of variables to which T associates a term. Given two 
environments T and V, F is included in V, written r C V', if all the elements of T 
occur in T' in the same ordering. 

Definition 6 (Type assignment) A type assignment is a function r from T to 
T which, to a symbol / of arity n, associates a closed term ry of the form (x : T)U 
where \x\ = n. We will denote by Tf the environment x : T. 

Definition 7 (TSM) A Type System Modulo (TSM) is a sorted A-system (S, X) 
with : 

- a set of axioms AQ S 2 , 

- a set of product formation rules 

- a type assignment r, 

- a conversion relation C CT 2 . 

A /3TSM (resp. r/TSM) is a TSM such that J^C C (resp. L,C C). 
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Definition 8 (Typing) The typing relation of a TSM is the smallest ternary re- 
lation h C £ x T x T defined by the inference rules of Figure 3.1. Compared with 
PTS's, we have a new rule, (symb), for typing the symbols and, in the conversion 
rule (conv), instead of the /^-conversion, we have an abstract conversion relation C. 
A term t is typable if there exists an environment T and a term T such that r h t : T 
(T is a type of t in V). An environment T is valid if there exists a term typable in 
T. In the rule (symb), the premise 'T valid" is therefore useful only if / is of null 
arity (n = 0). 

- T = {t G T | 3F G £, 3T G T, T h t : T} is the set of typable terms, 

- Tq = {T G T | 3r G 5, T h T : s} is the set of predicates of sort s, 

- Tf = {t G T | 3r G 5, 3T G T, F h t : T and T h T : s} is the set of objects of 
sort s, 

- E = {r G £ I 3i, T G T, F h i : T} is the set of valid environments. 



Figure 3.1: TSM typing rules 



(ax) 

(symb) 

(var) 
(weak) 
(prod) 
(abs) 
(app) 
(conv) 



H si : s 2 

h Tf : s F valid 
r h ti : Ti 7 ... r h t n : T nl 

F h /(t) : U 7 

r h T : s 
F,x:T \- x :T 

F h t : T FhU : s 
F,x:U h t : T 

ThTisi r,x:Th[/:s 2 
r h (x:T)C/ : s 3 

r,x:Thn:?7 rh(i:T)[/:s 
r h [x:T]u : (x:T)£7 

rht:(x:?7)y F\-u:U 
F \- tu : V{x i ^ -u} 

r h t : T r h T' : s' 
F \- t :T' 



((si,s 2 ) G .A) 

(/ G ^, 
T f = {x:f)U, 
7 = {^ M *}) 

(x G \ dom(r)) 

dom(r)) 

((S1,S2,S3) G #) 



(T C T') 



32 CHAPTER 3. TYPE SYSTEMS MODULO 



Remark 9 (Conversion) 

It might seem more natural to define (conv) in a symmetric way by adding the 
premise r h T : s or the premise T \- T : s'. We have chosen this definition for two 
reasons. First, it is defined in this way in the reference papers on PTS's [59, 10]. 
Second, from a practical point of view, for type checking, this avoids an additional 
test. However, we will see in Lemma 37 that, for many TSM's, we have r h T : s'. 
We will denote by h, the typing relation defined by the same inference rules as for 
h but with (conv) replaced by : 

Tht:T T \- T : s F h T' : s 
(conv') r - - - (T C T ) 

We will show the equivalence between h, and h in Lemma 43. 

In the same way, in full TSM's (Vsi, S2 € S, 3ss G S, (si,S2, S3) € B), the rule 
(abs) can be replaced by : 

Finally, we will denote by \- w the typing relation defined by the same inference 
rules as for h but with (weak) replaced by : 

r h t : T r h U : s 
(weak ' } F,x:U\-t:T (x £ X s \ dom(r), t £ X U S) 

that is, where weakening is restricted to variables and sorts (t G X U S). We will 
show the equivalence between \- w and h in Lemma 19. 

Remark 10 (Arity) 

On can wonder why symbols are equipped with a fixed arity since, in general, 
in A-calculus, one is used to consider higher-order constants. Of course, having an 
arity is not a restriction since, to a symbol / of arity n and type (x : T)U, one 
can always associate a curried version f c of null arity defined by the rewrite rule 
f c — > [x : T]f(x). Furthermore, in practice, the existence of arities can be masked by 
doing ^-expansions if / is not applied to sufficient arguments, or by doing additional 
applications if / is applied to too many arguments. However, without arities, we 
would have a simpler presentation where the rule (symb) would be reduced to : 

(symb') (/ € T s ) 

' J '■ T f 

To our knowledge, except the works of Jouannaud and Okada [75] and of G. 
Barthe and his co-authors [15, 16, 17, 13], most of the other works on the combination 
of typed A-calculi and rewriting [25, 26, 54] do not use arities for typing symbols. 
We have chosen to use arities for technical reasons. With the method we use for 
proving strong normalization, we need an application uv not to be a rewriting redex 
(see Chapter 5 for an explanation of these notions and Lemma 121, case T = (x : 
U)V, (b), (R3) for the use of this property). The introduction of arities enable 
us to syntactically distinguish between the application of the A-calculus and the 
application of a symbol. But one may wonder whether this notion is really necessary. 
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Definition 11 (Well- typed substitution) Given two valid environments T and 
A, a substitution 9 is well typed between V and A , 9 : V — > A, if, for all x G dom(r), 
Ahrf: aT#. 

For example, in the rule (symb), we have 7 : Tj — > V where Ff = x :T. 

3.2 Properties 

In this section and the following one, we prove some properties of TSM's that are 
well known for PTS's (except Lemma 22). Apart from the new case (symb) that we 
will detail each time, proofs are identical to the ones for PTS's. The fact that, in 
(conv), is replaced by an arbitrary relation C is not important. For more details, 
the reader is invited to look at [59, 10, 58]. 

Lemma 12 (Free variables) Let r = x : T be an environment. If V h t : T then : 

(a) the distinct from one another, 

(b) FV(t) U FV(T) C dom(r), 

(c) for all i, FV(Tj) C {x±, . . . 

Proof. By induction on T h t : T. We only detail the new case (symb). (a) and 
(c) are true by induction hypothesis. Let us see (b) now. By induction hypothesis, 
FV(t/) = and, for all i, FVfc) Q dom(r). Therefore, FV(/(t)) C dom(r). Hence, 
FV(f/7) C dom(r) since FV(?7) C {x} and 7 = {x ^ t}. U 

Lemma 13 (Subterms) If a term is typable then all its subterms are typable. 

Proof. By induction on T h t : T. In the case of (symb), by induction hypoth- 
esis, for all i, all the subterms of t, L are typable. Therefore, all the subterms of f(i) 
are typable. ■ 

Lemma 14 (Environment) Let r = x : T be a valid environment. 

(a) If Xi is of sort s then X\ :T±, . . . , Xj_i :Tj_i h Tj : s. 

(b) For all i, xi:Ti, . . . ,Xj:Tj h XjiTj. 

Proof. By (var), (b) is an immediate consequence of (a). We prove (a) by 
induction on T h i : T. In the case (symb), as T is valid, there exists u and 1/ such 
that r h v : V. Therefore, by induction hypothesis, (a) is true. ■ 

The following lemma is a form of a-equivalence on the variables of an environ- 
ment. 

Lemma 15 (Replacement) If T, y : W, V h t : T, y G X s and z G X s \ dom(r, y : 
W, r') then r, z : W, T'{y i-> z} h t{y ^ z} : T{y ^ z}. 

Proof. By induction on T, y : W, F' h i : T. Let = {y ^ z}, A = T, y : W, V 
and A' = T, z:W,T'9. In the case (symb), by induction hypothesis, we have A' valid 
and, for all i, A' h t { 9 : T i7 0. Therefore, by (symb), A' h /(t&) : U-y0. ■ 
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Lemma 16 (Weakening) If F h t : T and T C T' € E then r' h £ : T. 

Proof. By induction on T h £ : T. In the case (symb), by induction hypothesis, 
we have V valid and, for all i, V h U : Ttf. Therefore, by (symb), F' h /(£~) : Uj. ■ 

Lemma 17 (Transitivity) Let T and A be two valid environments. If T h £ : T 
and, for all x € dom(r), A h x : aT, that we will denote by A h T, then A h £ : T. 

Proof. By induction on T h £ : T. In the case (symb), by induction hypothesis, 
we have A valid and, for all i, A h £j : T37. Therefore, by (symb), A h /(£) : Uj. ■ 

Lemma 18 (Weak permutation) If T, y : A, z : B, V h £ : T and V h £ : s then 
r,z:B,y:A,r' h £ : T. 

Proof. Let A = T, y : A, z : B, V and A' = T, z : B, y : A, V . By transitivity, 
it suffices to prove that A' is valid and that A' h A. And to this end, it suffices 
to prove that A' is valid. By the Environment Lemma, we have V h A : s' and, 
by hypothesis, we have T h B : s. Therefore, by weakening, r, z : B, y : A is 
valid. Assume that V = x : T and let A« = T , y : A, z : B , x\ : T±, . . . , xi : T and 
A^ = T, z : B, y : A, x\ : T\ , . . . , X{ : T; L . We prove by induction on i that A^ is valid. We 
have already proved that Aq is valid. Assume that A^ is valid. By the Environment 
Lemma, Aj h T« + i : Sj + i. As A^ h Aj, A'- h T« + i : Sj+i and A^ +1 is valid. Therefore, 
A' is valid and A' h t : T. ■ 

Lemma 19 (Equivalence of \- w and h) =h. 

Proof. First of all, it is clear that \- w C h. We prove the reverse by induction on 
r h t : T. The only difficult case is of course (weak) : from T \- t : T and V \- U : s, 
we get r, x : U h £ : T. By induction hypothesis, we have T £ : T and T \- w U : s. 
One has to modify the proof of F \- w t : T by adding x : U at the appropriate places 
in order to obtain a proof of F, x : U \~ w t : T. See Lemma 4.4.21 page 102 in [58] for 
more details. ■ 



Now, let us see what we can do about the derivations of F h £ : T and the form 
of T with respect to £. To this end, we introduce relations related to the rule (conv). 

Definition 20 (Conversion relations) 

- T Cr T' iff T C T' and there exists £, t' and s' such that F h £ : T, T h £' : T' and 
r h T' : a', 

- T C r T' iff T C r T' and there exists s such that T h T : s, 

-rCT iff r = f : f , T' = f : f ' and, either \x | = 0, or there exists j such that 
3j < C Xl --T 1 ,...,x j - 1 :T j - 1 Tj and, for all i / j, Tj = T[. 

We have Cr C Cr but, as opposed to Cr, Cr is not defined in a symmetric way. 
This comes from the asymmetry of the rule (conv) which requires F \- T' : s' but 
not r h T : s. However, we will see in Lemma 37 that, for many TSM's, these two 
relations are equal. 

Lemma 21 (Inversion) Assume that T h £ : T. 
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- If t = s then there exists s' such that (s, s') G A and s' Cp T. 

- If t = /(t), / G .F\ T f = (x: f)U and 7 = {x i-> t) then h r/ : 5, 7 : (x : f ) -»• T 
and Uj C£ T. 

- If t = x G X s then r h xr : s and xT Cf, T. 

- If t = (x : U)V then there exists (si, S2, S3) G P such that r h C7 : Si, F, x : U h 
V : S2 and S3 Cp T. 

- If i = [x : U]v then there exists V such that F,x:U \~ v : V and (x: E/)V C r T. 

- If £ = uv then there exists V and W such that rhu: (1: V")W, r h v : V and 
W{x 1 ^ C r T. 

Proof. A typing derivation always finishes by a rule distinct from (weak) and 
(conv) followed by a possibly empty sequence of (weak)'s and (conv)'s. We hence 
get the term to which T is convertible. For typing judgments, it suffices to do a 
weakening to express them in V. ■ 

Lemma 22 (Environment conversion) If V h t : T and T C V then T' h i : T. 

Proof. We have T = x : f, V = x : T ' and there exists j such that Tj Ca Tj 
with A = xi : Ti, . . . : and, for all i 7^ j, Tj = T/. By transitivity, it 

suffices to prove that, for all i, T' h Xj : Tj. Let n = |x|, Ti = xi :Ti, . . . , Xj-i :Tj-\ 
and T2 = Xj+i -Tj + i, . . . ,x n :T n . We proceed by induction on the size of T2- 

If T2 is empty then T = Ti,Xj : Tj and T' = T\,Xj : Tj. Since T is valid, Ti is 
valid and, for all i < j, Ti h x« : Tj. Since Tj Cr x Tj, there exists s and s' such 
that Ti h Tj : s and Ti h Tj : s'. By (weak), we get, for all i < j, F' h x« : T, and 
by (var), we get P* h Xj : Tj. From Ti h Tj : s, by (weak), we also get F' h Tj : s. 
Therefore, by (conv), P h Xj : Tj. 

assume now that F2 = F3, x n :T n . Let A = Ti, Xj :Tj, F3 and A' = Fi,Xj :Tj, F3. 
By induction hypothesis, for all i < n, A' h Xj : Tj. Since T is valid, there exists s 
such that A h T„ : s. By transitivity, we get A' h T„ : s. Therefore, by (var), we 
get P h x„ : T n , and by (weak), r' h Xj : Tj. ■ 

3.3 TSM's stable by substitution 

Definition 23 (TSM stable by substitution) A TSM is stable by substitution 
if its conversion relation C is stable by substitution. 

Lemma 24 (Substitution) If C is stable by substitution, F \- t : T and 9 : F — ► A 
then A h tO : TO. 

Proof. By induction on F h i : T. In the case (symb), by induction hypothesis, 
we have A h ij6> : Tj 7 0. Therefore, by (symb), A h /(f6») : 1/7^. ■ 

Corollary 25 If C is stable by substitution, F,x:U,F' h t : T and F h u : U then 
T, r'{x 1— > u} h i{x 1— > u} : T{x 1— > n}. 

Proof. We have to prove that 9 = {x 1— > u} is a well-typed substitution from 
r, x : C/, P to r, We proceed by induction on the size of P. If P is empty, this is 
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immediate since T is valid and r h u : U. Assume now that V = T",y:V. Let A = 
T,x:U, T" and A' = T, T"6. By induction hypothesis, 9 : A -»• A'. Since A h V : s, 
by substitution, we get A' h V9 : s. Therefore, by (var), A',y:V9 h y : V9. Now, 
let z G dom(A). As A h z : zA, by substitution, A'hz: zA#. Then, by (weak), 
A',y:V9 \~ z : zA9. U 

Corollary 26 If C is stable by substitution, 9\ : Tq — > Ti and 02 : Ti — ► I^ then 
#i#2 : To - ► IV 

Proof. Let x G dom(To). Since 9\ : To — > Ti, by substitution, we get Ti h x#i : 
aTo^i, and since 6*2 : T\ — > IT^, by substitution again, we get T2 h x#i6>2 : xro6>i6>2.B 

Definition 27 (Maximal sort) A sort s is maximal if there does not exist any 
sort s' such that (s, s') G A. 

Lemma 28 (Correctness of types) If C is stable by substitution and T \- t : T 
then, either T is a maximal sort, or there exists a sort s such that r h T : s. In 
other words, T = |J{Tg U Tf | s G S}. 

Proof. By induction on T h i : T. In the case (symb), we have h tj : s. By 
inversion, there exists s' such that Tj h [/ : s'. As 7 : Tj — > T, by substitution, 
r h f/ 7 : s'. ■ 

Lemma 29 (Inversion for TSM's stable by substitution) Assume that F h 
t : T. 

- If t = s then there exists s' such that (s, s') G .4 and s' T. 

- li t = /(F), / G J- s , Tf = (x : f)U and 7 = {x i-» t) then h r/ : s, 7 : (x : f) -> T 
and f/7 CJ; T. 

- If t = x G X s then r h xr : s and xr Cf, T. 

- lit = {x: U)V then there exists (s\, S2, S3) G V such that r h U : s±, T, x : U h 
F : s 2 and s 3 C£ T. 

- If £ = [x : U]v then there exists V such that T,x:U \- v : V and (x : U)V T. 

- If i = uv then there exists F and W such that rhu: (1: V)W, T h v : V and 
VF{x 1 ► t;} T. 

Proof. Only the cases t = f(i) and t = uv have been modified. 

- t = f(t). By inversion, h 77 : s, 7 : (x : T) — ► T and C/7 Cp T. By inversion again, 
there exists s' such that x : T h U : s'. Therefore, by substitution, T h t/7 : s' 
and ^7 C r T. 

- t = uv. By inversion, there exists V and W such that r h ii : (x : V)W, 
T \- v : V and W{x 1— > Cp T. By correctness of types, there exists s such 
that r h (x : V)W : s. By inversion, there exists s' such that T,x :V \~ W : s'. 
Therefore, by substitution, T h W{x ^ v} : s' and W{x i-> t> } CJ T. ■ 



3.4. LOGICAL TSM'S 



37 



3.4 Logical TSM's 

We now introduce an important class of TSM's for which /3-reduction preserves 
typing. 

Definition 30 (Logical TSM) A TSM is logical if its conversion relation is prod- 
uct compatible : 

{x:T)U Cp (x'-.T')U' implies T Cp V and U Cp X:T U'{x' i-> x}. 



T Cp T' means that there exists a sequence of terms T such that To = T Cr T\ 
. . .T n —i Cr T n = T' . So, there is no reason a priori to take U Cp T U'{x' i— > x} 
instead of J7 Cp f/'{x' i— > x} with i ^ 0. However, as T Cp T', by environment 
conversion, this choice is not important. 

Product compatibility is not a new condition and appears in all the previously 
cited works but, to our knowledge, it has never received any special name. 

All the TSM's cited at the beginning of this chapter are logical. In the case 
where C =<-^* with — > a confluent reduction relation, it is clear that C is product 
compatible. To prove this property without using confluence is more delicate. This 
is the case of PTS's with ^-reduction [58] or of the Ai?-cube [54], an extension of the 
Calculus of Constructions with higher-order rewriting a la Jouannaud-Okada at the 
object-level. 

Lemma 31 (Subject reduction for j3) In a logical /3TSM, if V h t : T and t ->£ 
t' then Tht'-.T. 

Proof. We will say that an environment x : T /3-rewrites to an environment 
x! : X", written x : T — >g x' : T', if x = x! and there exists j such that Tj Tj 
and, for all i / j, Tj = T[. We simultaneously prove that : 

(a) if t ->p t' then T\-t':T, 

(b) if T ->p V then T'ht:T, 

by induction on T h t : T. 

(ax) h si : s 2 {(si,s 2 ) € .A) 
No /3-reduction is possible in s\ or in T = 0. 

hr /:s rvahd rhf i: r l7 ...rht n :T n7 ^f/krr 

(symb) r, = (x : T)fJ, 

(a) If f(t) —*p t' then t' = f(v) with j such that tj t'- and, for all i ^ j , ti = t^. 
By induction hypothesis, we have, for all j, T h t- : T7. Let 7' = {1 h r}. 
We have C/y*^- /?C/ 7 and, for all i, T a ->£ T a '. As L3C C, Ui C and 
T7 C T 7 '. If we prove that every Trf is typable in V by a sort then, by 
(conv), we have r h ^ : Trf and, by (symb), T h t' : ^7'. It then suffices to 
prove that C/7 is typable by a sort in T to apply again (conv) and conclude 
that r h t' : Uj. 
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Let us begin by verifying that is typable by a sort. We have h tj : s. 
By inversion, 7 : (x : T) — > T and there exists s' such that x : T h U : s'. By 
substitution, we therefore get T h {77 : s'. 

Now, we are going to prove that every Tij' is typable by a sort. To this 
end, it suffices to prove that 7' : (x : T) — > T. Indeed, since h r/ : s, by 
inversion, every Tj is typable by a sort in = x\ : T\, . . . , Xj_i : Tj_i. Let 
us prove by induction on i that 7' : Tj — > T. 

For i = 0, there is nothing to prove. Assume therefore that 7' : Tj — > T. 
Then 7' : r i+ i -» T if T h : T m 7'. We know that T h : T i+ i7, 
?i+i7 Ti + ij' and that there exists s such that Tj h Tj+i : s. Therefore, 
by substitution, T h Tj+iY : s and, by (conv), T h t£ +1 : Tj+iY. 
(b) If T — >g T' then, by induction hypothesis, T' is valid and V h tj : ^7. 
Therefore, by (symb), r" h /(t) : LV7. 

T h T : s 

(var) r,x:rhx:r 

(a) No /3-reduction is possible in x. 

(b) There is two cases, depending on where takes place the /3-reduction : 

- T r'. By induction hypothesis, V h T : s. Therefore, by (var), T',x : 
T \- x : T. 

- T T' . By induction hypothesis, T \- T' : s. Therefore, by (var), 
T,x:T' h x : T'. As C,T'CT. As T h T : s, by (conv), r,x:T' hi:T. 

r h t : T rh[/:s 
(weak) — — — — 

(a) If t t' then, by induction hypothesis, V h t' : T. As V h ?7 : s, by (weak), 
r,x:£/ hi' : T. 

(b) There is two cases, depending on where takes place the /3-reduction : 

- T ->g r'. By induction hypothesis, V h t : T and T' h U : s. Therefore, by 
(weak), T',x:U h t : T. 

- U U' . By induction hypothesis, V \- U' : s. Therefore, by (weak), 
r,x:U' \-t:T. 

ThT: Sl T,x:ThU:s 2 
(prod) THx:T)U:S3 ((s 1 ,s 2 ,s 3 )eB) 

(a) There is two cases, depending on where takes place the /3-reduction : 

- T —>p T'. By induction hypothesis, T h T' : s\ and T,x : T' h [/ : S2- 
Therefore, by (prod), we get T h (x:T')U : S3. 

- f/ — >g {/'. By induction hypothesis, T,x:T h [/' : S2- Therefore, by (prod), 
T h (x:T)U' : s 3 . 

(b) If T ->g r' then, by induction hypothesis, T' h T : si and r', x : T h f7 : s 2 - 
Therefore, by (prod), V h (x:T)U : s 3 . 

T,x:T h u : T h (x:T)£/ : s 

(abs) rh [x:T]u : {x:T)U 

(a) There is two cases, depending on where takes place the /3-reduction : 
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- T F. By induction hypothesis, r, x : V h u : U and T h (x : F)[7 : a. 
By (abs), r h [x : T> : (x : F)C7. As (x : F)£/^- /?( x : T)f7 and j^C C, 
{x:T)U C {x:T)U. As T h (x:T)[7 : s, by (conv), T h [x:T> : (x:T)f7. 

- u —>/3 u'. By induction hypothesis, T,x:T \- u' : U. As T h (x:T)U : s, by 
(abs), r h [x:T]u' : (x:T)V. 

(b) IfT ->p r'then, by induction hypothesis, r', x :T h u : U and F h (x :T)U : s. 
Therefore, by (abs), T'h[x:T]u: (x:T)U. 

Tht:(x:U)V T \- u : U 

(aPP) T\-tu:V{x» u} 

(a) There is three cases, depending on where takes place the /3-reduction : 

- t t'. By induction hypothesis, V h t' : (x:U)V. As V h u : U, by (app), 
Fht'u: V{x i — ► u}. 

- u — >g u'. By induction hypothesis, T h u' : U. By (app), T h tu' : V{x i-> 
u'}. As V{x i ^ u'}*^ /3F{x i ^ u} and J^C C, F{x i-> u '} C V{x i-> u }. By 
inversion, there exists s such that T h y{x i— > u} : s. Therefore, by (conv), 
r h in' : V{x h-> u}. 

- t = [x : U']v and tu —>p v{x t— > u}. By inversion, there exists V' such that 
r,x : [/' h v : V and (x : 17') V' Cf (x : t/)V. By product compatibility, 
U' {/ and V Cp ^ F. By environment conversion, T,x:U \~ v : V and, 
by (conv), T,x:U \- v : V. 

(b) If T F then, by induction hypothesis, F h t : (x : [7)1/ F h u : U. 
Therefore, by (app), V \- tu : V{x i— ► u}. 

r h t : T T C T' ThT'-.s' 



(a) If t f then, by induction hypothesis, V h t' : T. As T C T and T h F : s', 
by (conv), T h t' : F. 

(b) If T F then, by induction hypothesis, V \- t : T and F h F : s' . 
Therefore, by (conv), F h t : F. ■ 
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Chapter 4 



Reduction Type Systems 
(RTS's) 

Now, we are going to study the case of TSM's whose conversion relation C is of 
the form j with — > a reduction relation. We shall call such systems Reduction 
Type Systems (RTS). Except for ECC [81] which uses a notion of subtyping, all 
the systems previously mentioned at the beginning of Chapter 3 are RTS's, either 
because they are defined in this way [54, 15], or because they are defined with C 
and — ► confluent, which is equivalent [99, 58, 119, 101]. The general study of such 
systems is justified by the fact that, in [54], the proof that reduction preserves typing 
uses the fact that C is of the form [. 

The proofs of the Lemmas 41, 47, 50 and 52 are widely inspired from the ones 
given by H. Geuvers and M.-J. Nederhof [59] or H. Geuvers [58]. 

4.1 Definition 

Definition 32 (RTS) A pre-RTS is a TSM whose conversion relation C is of the 
form | with — > a relation stable by substitution and context. The relation — > is 
called the reduction relation of the pre-RTS. A pre-RTS is confluent if its reduction 
relation is confluent. An RTS is a pre-RTS which is admissible, that is, whose 
reduction relation preserves typing : F h t : T and t — > t' imply F h t' : T, a 
property often called subject reduction . 

Any pre-RTS satisfies the following elementary properties : 

Lemma 33 The relation C =[ is : 

- symmetric : T C T' implies T' C T. 

- stable by substitution : T C T implies TO C TO. 

- stable by context : T C T implies C[T] P C C[T%. 

- preserves sorts : s C s' implies s = s'. 

In ECC, the conversion relation C is not symmetric and does not preserve sorts. 
It would be interesting to try to formulate some properties below in the more general 
framework of Cumulative pure Type Systems (CTS) to which belongs ECC. To this 
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end, the reader is refered to the works of Z. Luo [81], R. Pollack [102] and Barras 
[11]. 

Subject reduction can be extended to types, environments and substitutions : 

Definition 34 A substitution 9 rewrites to a substitution 6', 9 — > 0', if there exists 
x such that x9 — > x0' and, for all y ^ x, y9 = yd' . An environment T = x : T 
rewrites to an environment r', V — > r", if V = x : T' and there exists i such that 
Ti -» 2V and, for all j ^ i, Tj = Tj. 

Lemma 35 In an RTS : 

(a) if T h t : T and T — > T' then r h £ : T', 

(b) if : r -> A and -» 0' then 0' : T -» A, 

(c) if T h £ : T and T -» r then V h £ : T. 

Proof. 

(a) By correctness of types, either T = s or T \- T : s. The case T = s is not 
possible since s is not reducible. Therefore, T \- T : s and, by subject reduction, 
F \- T' : s. Hence, by (conv), F\-t:T'. 

(b) By induction on the size of T. If T is empty, this is immediate. Assume then 
that r = F',x:T. Since : V -> A, by induction hypothesis, 0' : T -> A. Then 
it suffices to prove that A h x9' : TO'. As 6 : V -> A, we have A h x0 : T0. By 
subject reduction, A h x0' : T9. After the Environment Lemma, there exists s 
such that r h T : s. By substitution, A h T9 : s. Since T0 ^* T0', T0 C T0' 
and, by subject reduction, A h T0' : s. Therefore, by (conv), A h x0' : TO' . 

(c) Assume that V = Ti,x : T, T2 and T' = Ti,2; : T',T2- By the Environment 
Lemma, T\ \- T : s. By subject reduction, Ti h T' : s. Therefore, T C T' and, 
by the Environment conversion Lemma, IT" h £ : T. ■ 

Lemma 36 (Inconvertibility of maximal sorts) In an RTS, if s C£ T then 
s Cp T. Therefore, if s is maximal then T = s. 

Proof. By case on the number of conversions between s and T. If s = T, this 
is immediate. Assume then that s Cr T' C r T. By definition of Cr, there exists s' 
such that r h T' : s' . As C =[ and s is irreducible, T' —>* s. By subject reduction, 
r h s : s' and s Cp T. ■ 

Hence we get the equivalence of the two relations Cr and Cr, and a refinement 
of the Inversion Lemma for RTS's. 

Lemma 37 (Equivalence of Cr and Cr) In an RTS, Cr = Cr- 

Proof. First of all, we have Cr C Cr- We prove the reverse. Assume that 
T Cr T'. As there exists t such that r h t : T, by correctness of types, either T is 
a maximal sort, or there exists s such that r h T : s. After the previous lemma, T 
cannot be a maximal sort. Therefore, there exists s such that V h T : s and T Cr T". 
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Definition 38 (Regular sort) A sort s is regular if, for all (si, S2, s) G B, s 2 = s. 

A TSM is regular if all its sorts are regular. 

Most of the PTS's that one can find in the literature are regular. For these 
systems, it is often made use of the abbreviation (si,S2) G B for (si, 52,^2) G B 
[59, 10]. 

Lemma 39 (Inversion for RTS's) Assume that r h t : T. 

- If t = s then there exists s' such that (s, s') € *4 and s' Cf T. 

- If t = f(i), f G -F\ r f = (x: f)U and 7={f«t) then h 77 : s, 7 : (x : f ) -> T 
and C/7 Cf T. Moreover, if s is regular then V h C/7 : s. 

- If t = x G ^ s then r h xr : s and xT Cf T. 

- If t = (x: U)V then there exists (si, S2 5 S3) G V such that r h {/ : si, T, x : £7 h 
F : s 2 and s 3 Cf. T. 

- If i = [x : U]v then there exists V such that r, x : [7 h u : V and (x : U)V CJ T. 

- If t = uv then there exists V and such that T \- u : (x : V)W, T h v : V 
and PF{x h- > Cp T. Moreover, if T h (x : F)PF : s and s is regular then 
T h l^{x v } : s. 

Proof. The modifications of the cases t = s and t = (x:U)V are a consequence 
of the inconvertibility of maximal sorts. Hence, we are left to prove the additional 
properties in case of regular sorts. The property for t = f(t) can be obtained by 
iteration from the one for t = uv. 

Assume that T h (x:V)W : s. By inversion, there exists (si, S2> £3) G V such 
that T,x:V \~ W : S2 and S3 C r s. By preservation of sorts, S3 = s. By regularity, 
S2 = S3. Therefore, T,x:V \~ W : s and, by substitution, T h W{x 1— >• f } : s. ■ 

4.2 Logical and functional RTS's 

Definition 40 (Functional TSM) A set of rules B is functional if (si, S2, S3) G B 
and (si, S2, s 3 ) G imply S3 = s' 3 . A TSM is functional if .A is a functional relation 
and B is functional. 

Most of the PTS's one can encounter in the literature are functional. 
In a regular TSM, B is functional. Therefore, for a regular TSM to be functional, 
it suffices that A is a functional relation. 

Lemma 41 (Convertibility of types) In a logical and functional RTS, if V h t : 
T and T h t : T' then T Cf T' . 

Proof. By induction on t. We follow the notations of the Inversion Lemma. 

- t = s. By inversion, there exists s[ and s' 2 such that (s,s[) G A, (s,s' 2 ) G A, 
s[ C r T and s' 2 C r T". By functionality, s[ = s' 2 . Therefore, by symmetry, 
T T'. 

- t = f{t). By inversion, Cp T and C/7 Cf T". Therefore, by symmetry, T Cf T'. 

- t = x. By inversion, xr Cf T and xr Cf T' . Therefore, by symmetry, T Cf T'. 
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- t = (x:U)V. By inversion, there exists (si, 32,83) G V and (s[,s 2 ,s' 3 ) G P such 
that T h U : Sl , T h U : s[, T,x : U h V : s 2 , T,x : U h V : s' 2 , s 3 T and 
S3 Cp T' . By induction hypothesis, si Cp s' x and S2 Cp^.j; s 2 . By preservation of 
sorts, Si = s[ and S2 = s' 2 . Therefore, by functionality, S3 = s 3 and, by symmetry, 
T Cp T' . 

- t = [x : U\v. By inversion, there exists V and V' such that T,x : U \~ v : V, 
T,x:U h v : V, (x: U)V Cp T and (x : 17) V" Cp T'. By induction hypothesis, 
V C^ x:U V. By stability by context, (x : f7)F Cp (x : J7)F'. Therefore, by 
symmetry, T Cp T'. 

- t = uv. By inversion, there exists V, V, W and W 1 such that rh«: (x : V)W, 
r h u : (x : V')W', W{x h t)} T and VF'{x ^ Cp T' . By induction 
hypothesis, (x:F)VF Cp (x:^')^'- % product compatibility, W Cf )X:y W. By 
substitution and stability by substitution, H^{x 1— > w } Cp W{x 1— > v}. Therefore, 
by symmetry, T Cp T'. ■ 

Lemma 42 (Conversion correctness) In a logical and functional RTS, if T h T : 
s and T C r T' then T h T' : s. 

Proof. By definition of Cr, there exists s' such that T\- T' : s'. As C = j, there 
exists [/ such that T ^* and T' ^* {/. By subject reduction, T \- U : s and 
r h U : s'. By convertibility of types and preservation of sorts, s = s' and T h T' : s. 



Lemma 43 (Equivalence of h s and h) In a logical and functional RTS, h s = h. 

Proof. First of all, it is immediate that h s CK We show the inverse by induction 
on T h t : T. The only difficult case is of course (conv). By induction hypothesis, 
we have T \- s t : T and T \- s T' : s' . It is easy to verify that the Substitution Lemma 
and the correctness of types are also valid for h s . Hence, by correctness of types, 
either T is a maximal sort, or there exists s such that T \- s T : s. If T is a maximal 
sort s then T' — >* s and s is typable, which is excluded. Therefore, T \- s T : s. By 
convertibility of types and preservation of sorts, s = s' and, by (conv'), T \- s t : T'M 

Lemma 44 (a-equivalence) In a logical and functional RTS, if (x:T)U Cr {x 1 : 
T')U' then x and x' are of the same sort and (x! : T')U' is a-equivalent to (x : 
T')U'{x' ^ x}. 

Proof. Assume that x is of sort s and x' is of sort s'. By definition of Cr, we 
have r h {x:T)U : s 3 and T h (x'-.T')U' : s 3 . By inversion, we have T,x:Th U : si 
and r, x' : T' h U' : s^. By the Environment Lemma, we have T h T : s and 
r h T' : s'. By conversion correctness and preservation of sorts, s = s' . Therefore x 
and x' are of the same sort and (x':T')U' is a-equivalent to (x:T')U'{x' 1— >• x}. ■ 

Lemma 45 (Maximal sort) In a logical and functional RTS, if s is a maximal 
sort and r h t : s then t is of the form (x : t)s'. Moreover, if t Cp t' then t' is of the 
form (y : ?)s' with \y\ = |x|. 
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Proof. We prove the first assertion by case on t. Note first of all that there is 
no s' such that T h s : s' . Otherwise, by inversion, there would exist s" such that 
(s, s") G A and s" Cp s', which is excluded since s is maximal. 

- t = f(i). Let T f = (x: f)U and 7 = {x t-> t}. By inversion, there exists s' such 
that r h Uj : s' and Uj Cp s. By conversion correctness, r h s : s'. This case is 
therefore impossible. 

- t = x G A' 5 '. By inversion, r h xr : s' and xr Cp s. By conversion correctness, 
r h s : s'. This case is therefore impossible. 

- t = [x : U]v. By inversion, there exists V and s' such that T,x : U \~ v : V, 
T \- (x : U)V : s' and (x:U)V s. By conversion correctness, T h s : s'. This 
case is therefore impossible. 

- t = uv. By inversion, there exists V, W and s' such that T h P^{x i-> n} : s' and 
P^{x 1 ^ u} Cp s. By conversion correctness, T h s : s'. This case is therefore 
impossible. 

We are left with the cases t = (x : U)V and t = s'. Therefore t must be of the 
form (x : 

We now show the second assertion. By conversion correctness, T \- t' : s. After 
the first assertion, t' is of the form (y : P)s". By product compatibility and in- 
equivalence, and by exchanging the roles of t and t', we can assume that y = xz 
and t = tu. Hence, s' C r / (z : u)s" where T' = x : t. We then prove by induction 
on the number of conversions between s' and (z : u)s" that \z\ = and s' = s" . 
If s' = [z : u)s" , this is immediate. Assume then that s' C r v Cp ; (z : u)s" . By 
conversion correctness, V h v : s. Therefore, after the first assertion, v is of the form 
(z 1 : u')s'" . As C =1 and s' is irreducible, v — >* s'. Therefore \z*\ = and s'" = s' . 
So, v = s' and, by induction hypothesis, \z\ = et s" = s'. ■ 

4.3 Logical and injective RTS's 

Definition 46 (Injective TSM) A set of rules B is injective if (si, S2, S3) € 5 and 

(si, s' 2 , S3) € imply S2 = s' 2 . A TSM is injective if ^4 is a functional and injective 
relation and B is functional and injective. 

In a regular TSM, B is functional and injective. Therefore, for a regular TSM to 
be injective, it suffices that A is a functional and injective relation. 

Lemma 47 (Separation) In a logical and injective RTS, if s\ 7^ S2 then, for all 
i € {0, 1}, T 4 S1 n Tf = 0. 

Proof. We show that t € T* 1 n T* 2 implies si = S2, by induction on t. 
Case i = . There exists Tj such that Tj \- t : Sj. 

- t = s. By inversion, there exists s'j such that (s,s^) G and s'j Cp^. Sj. By 
functionality, s[ = s' 2 . Let s' be the sort s[ = s' 2 . Then, s' Cp. Sj. Therefore, 
by preservation of sorts, s± = S2 = s'. 

- t = /(t), / G JF 5 and r/ = (x : f)?7. Let T = x : f and 7 = {x i-> t). By 
inversion, h r/ : s, 7 : T — » Tj and C/7 Cp^ Sj. By inversion again, there exists s' 
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such that r h U : s'. By substitution, Tj h : s'. By conversion correctness, 
Tj h Sj : s'. By inversion and preservation of sorts, (sj,s r ) G .4. Therefore, by 
injectivity, si = S2- 

- t = x £ X s . By inversion, Tj h xFj : s and xFj Cf . Sj. By conversion 
correctness, Tj h Sj : s. By inversion and preservation of sorts, (sj,s) G A 
Therefore, by injectivity, s\ = S2- 

- t = (x:U)V. By inversion, there exists (sj , s 2 , s:-) G such that r,- h J7 : sj, 
Tj, x : [/ h y : and Sj Cf Sj. By induction hypothesis, s^ = s\ and s 2 = s|. 
Therefore, by functionality, sf = sf- Let s be the sort s\ = sf- Then, s Cf . Sj 
and, by preservation of sorts, s\ = S2 = s. 

- t = [x : ?7]i>. By inversion, there exists Vj and sj such that r^, x : U h t> : Vj, 
Tj h (x : U)Vj : sj and (x : U)Vj Cf . Sj. By inversion again, there exists 
(sj,s],s|) G such that Tj h U : sj, Ij,x : £/ h V} : s 2 and s] Cf sj. By 
preservation of sorts, sj = sj. By induction hypothesis, s\ = s\ and s 2 = s\. 
Therefore, by functionality, s\ = s|- Let s be the sort s\ = s 2 = sf = s 2 . 
By conversion correctness, T h Sj : s. By inversion and preservation of sorts, 
(sj,s) G A. Therefore, by injectivity, s\ = S2- 

- t = uv. By inversion, there exists Vj and Wj such that Tj \- u : (xj : Vj)Wj, 
Tj h v : Vj and Wj{xj i— > v} Cf Sj. Let 1^- = Tj,Xj : Vj and 0j = {xj i— > 
By correctness of types, there exists s^- such that h (xj : Vj)Wj : s'j. By 
induction hypothesis on u, s'i = s 2 . Let s' = s[ = s' 2 . By inversion, there 
exists (sj^s^sj) G V such that Ij h Vj : sj, L^ h Wj : s 2 and sj Cf s'. By 
preservation of sorts, sj = s'. By induction hypothesis on v, s{ = s\. Therefore, 
by injectivity, s\ = s 2 . Let s" = s 2 = s 2 . As 9j : T'- \— > Tj, by substitution, 
Tj h Wj#j : s". By conversion correctness, Tj h Sj : s". By inversion and 
preservation of sorts, (sj, s") G A Therefore, by injectivity, s\ = S2- 

Case i = 1 . There exists Tj and Tj such that Fj h i : Tj and Tj h Tj : Sj. 

- t = s. After case i = 0, there exists s' such that s' Cf Tj. By conversion 
correctness, Tj h s' : Sj. By inversion and preservation of sorts, (s',Sj) G A 
Therefore, by functionality, s± = S2- 

- t = f{t). After case i = 0, there exists s' such that Tj h Tj : s'. By convertibility 
of types and preservation of sorts, si = S2 = s'. 

- t = x G X s . After case i = 0, Ij h Tj : s. Therefore, by convertibility of types 
and preservation of sorts, si = S2 = s. 

- t = (x:U)V. After case i = 0, there exists s such that s Cf . Tj. By conversion 
correctness, Tj h s : Sj. By inversion and preservation of sorts, (s,Sj) G A. 
Therefore, by functionality, s± = S2- 

- t = [x : U\v. After case i = 0, there exists s such that Tj h Tj : s. By 
convertibility of types and preservation of sorts, si = S2 = s. 

- t = uv. After case i = 0, there exists s" such that Tj h Tj : s". By convertibility 
of types and preservation of sorts, si = S2 = s'. ■ 
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Lemma 48 (Classification) In a logical and injective RTS, either (si,s 2 ) G A 
and % L C Tf , or (si, s 2 ) £ ^ and T* 1 n Tf = 0. 

Proof. If (si, a 2 ) € A, it is clear that T* 1 C Tf. We then prove that t G T^nTf 
implies (si, s 2 ) £ »4, by induction on t. Let T, T' and T such that T \- t : s\,T' \- t : T 
and r'hT: s 2 . 

- t = s. By inversion, there exists s'i and s 2 such that (s,s'i) G «4, s'i Cf si, 
(s,s 2 ) G A and s' 2 Cp, T. By preservation of sorts, s' x = Si. By functionality, 

= s' 2 . By conversion correctness, r h s 2 ■ s 2 . Therefore, by inversion and 
preservation of sorts, (s 2 , s 2 ) G A and (si, s 2 ) G A. 

- t = f(i). Let Tf = (x : T)U and 7 = {f h> t}. By inversion, there exists 
and s' 2 such that r h C/7 : Sj_, ^7 Cf si, T' h C/7 : s' 2 and C/7 Cp, T. By 
conversion correctness, r h «i : s'j. Therefore, by inversion and preservation of 
sorts, (31,81) G A. By separation, s'i = s 2 . By conversion correctness, V \- T : s 2 . 
Therefore, by separation, s 2 = s 2 and (si,s 2 ) G A. 

- t = x G A' 5 . By inversion, T h xl 1 : s, xT Cf si, V h xl" : s and xr' Cf, T. 
By conversion correctness, r h si : s. By inversion and preservation of sorts, 
(si,s) G A. By conversion correctness, T' h T : s. Therefore, by separation, 
s = S2 and (si, s 2 ) G .4. 

- i = (x:C/)F. By inversion, there exists (s a ,Sb,s c ) and (s^s^s^,) G "P such that 
r h *7 : s a , T, x : U h V : s b , s c Cf si, T' h U : <, r, x : 17 h V : s£ and s' c Cp, T. 
By preservation of sorts, s c = s\. By conversion correctness, V h s' c : s 2 . By 
inversion and preservation of sorts, (s' c , s 2 ) G .4. By separation, s a = s' a and 
56 = s^. Therefore, by functionality, s c = s' c and (si,s 2 ) G A 

- t = [x:U]v. By inversion, there exists V, s, V' and s' such that T,x:U \~ v : V, 
r h (x : U)V : s, (x : Cp si, T',x : C/ h u : V', T' h (x : U)V : a' and 
(x : U)V' Cf, T. By conversion correctness, r h si : s and 1 ' h T : s'. By 
inversion and preservation of sorts, (si,s) G A By separation s' = s 2 . By 
inversion again, there exists (s a ,s&,s c ) and (s' a , s' b , s' c ) G V such that r h U : s a , 
r,x : t7 h V : s b , s c Cf s, T' h 17 : s' a and r',x : U h V : s' b and s' c Cf, s'. By 
preservation of sorts, s c = s and s' c = s'. By separation, s a = s' a and S& = s^. 
Therefore, by functionality, s c = s' c and (s±, s 2 ) G .4. 

- t = uv. By inversion, there exists V , W , s, V and W' and s' such that T h 
u : (x : V)W, T h W{x i-> v} : s, VF{x ^ v} Cf si, r' h u : (x : F')W', 
r" h W{x h- > t;} : s' and Vy'{x i-> u } Cf, T. By conversion correctness, T h si : s 
and r'hT: s'. By inversion and preservation of sorts, (si, s) G A. By separation, 
s = s' and s' = s 2 . Therefore, (si, s 2 ) G .4. ■ 

Remark 49 (Typing classes) 

With the correctness of types, we have seen that a typable term is necessarily in 
one of the sets Tf where i G {0, 1} and s G S. With the Separation and Classification 
Lemmas, we can describe the relations between these sets more precisely. 

In an injective TSM, the set of axioms A is necessarily an union of disjoint 
maximal "chains" , that is, sets A' such that : 
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- if (si, s 2 ) G x4' and (s 2 , s 3 ) G A then (s 2 , S3) G A', 

- if (s 2 , S3) G -4' and (s 1; s 2 ) G .4 then (si, s 2 ) G A'. 

For example, in the case where A is finite, a maximal chain is of the form {(si , s 2 ) , 
( s 2> S3), . . . , (s ra , s ra +i)} with si, . . . , s n distinct from one another. For such a chain, 
we obtain n classes T^ 1 , T^ 2 , . . . , T^ n , plus two classes T^ n+1 and Tq" +1 if s n+ i is 
distinct from the other Sj's. Finally, a sort s which does not belong to any axiom 
gives two classes, Tf and Tg. 

4.4 Confluent RTS's 

In the following, we prove results about the dependence of types with respect to 
variables and symbols. The first result, dependence with respect to variables, is 
better known under the name of "Strengthening Lemma". We give a proof of this 
lemma in the case of a functional (and confluent) RTS inspired from the one of H. 
Geuvers and M.-J. Nederhof [59]. L. S. van Benthem Jutting [115] proved the same 
lemma for all PTS's. It would be interesting to examine his proof to adapt it to the 
case of RTS's. 

Lemma 50 (Dependence w.r.t. variables) In a confluent and functional RTS, 
if A, z : V, A' h t : T and z <£ FV(A', t) then there exists V such that T -»* T and 
A, A' h £ : T'. 

Proof. By induction on A, z : V, A' h t : T. 
(ax) Impossible. 

(symb) Let T = A, z : V, A' . We prove the property for Uj itself. By induction 
hypothesis, for all i, there exists T[ such that T^ T[ and A, A' h £j : T[. 
We prove that 7 : Tf — > A, A'. Let 7$ = {x\ \— > t\, . . . ,Xi 1— > £j} and Ti = x\ : 
Ti, . . . ,Xi : T{. We prove that ji : T{ — > A, A' by induction on i. For i = 0, 
there is nothing to prove. Assume then that 73 : Tj — > A, A' and let us prove 
that 7j + i : Tj+i — > A, A'. As h r/ : s, by inversion, for all j, there exists Sj such 
that Tj-i h 7j : Sj. Hence, by the Environment Lemma, FV(Ij) C {xi, . . . , Xj-±}. 
Therefore, for all j < i + Tjj i+1 = Tjy L . So, 7 m : Ti -> A, A' and we are left to 
prove that A, A' h : T i+1 ^. We have A, A' h : 7V +1 . As T t h T i+ i : a i+ i 
and 7i : Tj — > A, A', by substitution, A, A' h Tj + i7j : Sj+i. Therefore, by (conv), 
A, A' h £ i+1 : T i+ i 7i and 7m : r i+1 -> A, A'. Finally, 7 = 7n : T f -> A, A'. As 
T/ h ?7 : s, by substitution, A, A' h C/7 : s. 

(var) Let T = A,z:y,A'. By induction hypothesis, A, A' h T : s. Therefore, by 
(var), A, A', x : T \- x : T. 

(weak) If z = x, T itself satisfies the property since r h t : T. Otherwise, let 
r = A,z : V, A'. By induction hypothesis, there exists T' such that T — >* T', 
A, A' h £ : T and A,A'h{7:s. Therefore, by (weak), A, A', x : ?7 h £ : T'. 

(prod) Let T = A, z : V, A'. By induction hypothesis, A, A' h T : s 1 and A, A', x : 
ThU : s 2 . Therefore, by (prod), A, A' h (x:T)J7 : s 3 . 

(abs) Let T = A,z : V, A'. By induction hypothesis, there exists U' such that 
U ^* U' and A, A', x : T h n : 17'. We prove that A, A' h (x : T)J7' : s. Then, 
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by (abs), A, A' h [x : T]u : (x : T)f7'. As T h (x : T)C7 : s, by inversion, there 
exists (si, s 2 , s) £ V such that r h T : si and r,s:Th[/:s 2 - As z ^ FV(T), 
by induction hypothesis, A, A' h T : si. As A, A', a; :T \- u : U', by correctness 
of types, either U' = s' or A, A',x : T h [/' : s'. Assume that U' = s'. As 
r,x:T h U : s 2 , by subject reduction, r, x : T h U' : s 2 . Therefore (s', s 2 ) € A 
and A, A',x : T h f/' : s 2 . If now A, A', x : T h [/"' : s' then, by convertibility 
of types, s' = s 2 . Hence, in all cases, r, x : T h U' : s 2 . Therefore, by (prod), 
A, A' h (x:T)[/' : s. 

(app) Let r = A, z : V, A'. By induction hypothesis, there exists t/^ an d V" 
such that U ^* U[, U U' 2 , V V, A, A' h t : {x:U[)V and A,A'hu: U' 2 . 
By confluence, there exists U" such that U[ — >* U" and U 2 ^* U" . By subject 
reduction, A, A' h t : (x : C/")! 7 "' and A, A' h u : U" . Therefore, by (app), 
A, A' h tu : V'{x 1 ^ «}. 

(conv) By induction hypothesis, there exists T" such that T ^* T" and A, A' h 
t : T" . By confluence, there exists T'" such that T" ->* T'" and T' ->* T'" . By 
subject reduction, A, A' h t : T'" . U 

Corollary 51 In a confluent and functional RTS, if A, z : V, A' h t : T and z £ 
FV(A',t,T) then A, A' h t : T. 

Proof. After the lemma, there exists T such that T ->* T' and A, A' h t : T' . 
By correctness of types, either T is a maximal sort and V = T, or A, z : V, A' h T : s. 
Then, after the lemma, A, A' h T : s. Therefore, by (conv), A, A' h t : T. U 

Lemma 52 (Strong permutation) If T, y : A, z : B, F' h t : T and y £ FV(B) 
then T,z:B,y:A,V \~t:T. 

Proof. Let A = T,y:A,z:B, V and A' = T,z:B,y:A, V . By transitivity, it 
suffices to prove that A' is valid and that A' h A. To this end, it suffices to prove 
that A' is valid. By the Environment Lemma, we have T h A : s and T,y:A\-B:s'. 
After the previous lemma, V h B : s'. Therefore, T, z:B is valid and, by weakening, 
T,z:B,y:A too. Assume that V = x : f and let Aj = T,y:A,z:B,xi :Ti, . . . ,Xi-.Ti 
and A^ = r, z : B, y : A, x± : T±, . . . , Xj : Tj. We prove by induction on i that A^ is 
valid. We have already proved that Aq is valid. Assume that A^ is valid. By the 
Environment Lemma, Aj h Tj + i : Sj + i. As A^ h Aj, A^ h Tj + i : Sj + i and A^ +1 is 
valid. Therefore, A' is valid and A'ht:T. U 

Definition 53 (Compatibility w.r.t. a quasi-ordering) Let > be a quasi- 
ordering on T . Given a symbol g, we will denote by \~ g the typing relation of the 
RTS whose symbols are strictly smaller than g. 

> is compatible with > if, for all symbol g and all term t, t', if all the symbols in 

t are strictly smaller than g and t — > t' then the symbols in t' are strictly smaller 
than g. 

- r is compatible with > if, for all symbol g, all the symbols in r g are smaller than 
9- 
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Lemma 54 (Dependence w.r.t. symbols) Consider a confluent and functional 
RTS and > a quasi-ordering on T such that — ► and r are compatible with >. If 
r h t : T and the symbols in T and t are strictly smaller than g then there exists T' 
such that T ^* T' and T \- g t : T' . 

Proof. By induction on T h t : T. 
(ax) Immediate. 

(symb) We prove that V \- g f(t) : Uj. By induction hypothesis, for all i, there 
exists T[ such that T^ —>* T[ and r \- g U : T-. We prove that 7 : Tf — > T in 
\- g . Let 7j = {27 1— ► ii, . . . , Xj 1— > tj} and r» = xi : Ti, . . . , X{ : Tj. We prove that 
7i : Tj — > r by induction on z. For i = 0, there is nothing to prove. Assume then 
that 7j : Tj — > r and let us prove that Ji+i : — > T. As r is compatible with >, 
by induction hypothesis, \- g Tf : s. By inversion, for all j, there exists Sj such that 
\- g Tj : sj. Hence, by the Free variables Lemma, FV(Tj) C {x\, . . . , Xj-i}. 
Therefore, for all j < i + 1, Tjji + i = Tjji. So, 7j + i : Tj — > T and we are left to 
prove that T \- g t i+1 : T i+1 ji. We have T \- g t i+1 : T- +1 . As Tj \- g T i+1 : s i+ i 
and 7« : Tj — > T, by substitution, T \- g Ti + ±ji : Sj+i. Therefore, by (conv), 
T h 9 t i+1 : T i+1 ji and 7^+1 : T i+1 -> T. Finally, 7 = 7„ : Tj -> T. As Tj h 9 U : s, 
by substitution, T \- g : s. 

(var) By induction hypothesis, T \- g T : s. Therefore, by (var), T,x:T \- g x : T. 

(weak) By induction hypothesis, there exists T' such that T ^* T', T \- g t : T' 
and r h g U : s. Therefore, by (weak), T,x:U h g t : T'. 

(prod) By induction hypothesis, T \- g T : s\ and r, x : T \- g U : S2- Therefore, by 
(prod), r h 9 {x:T)U : s 3 . 

(abs) By induction hypothesis, there exists U' such that U — >* U' and T,x:T \- g u : 
U'. We prove that T h g (x:T)U f : s. Then, by (abs), T h g [x:T]u : (x:T)U'. As 
T h (x:T)U : s, by inversion, there exists (s\, S2, s) G V such that r h T : s\ and 
T,x :T \- U : S2- By induction hypothesis, r \- g T : s\. As T,x :T \- g u : U' , by 
correctness of types, either U' = s' or T, x:T \- g U' : s' . Assume that U' = s'. As 
r, x : T h U : S2, by subject reduction, r, x : T h U' : S2- Therefore (s', S2) € A and 
F,x:T \- g U' : S2- If now T,x:T \- g U' : s' then, by convertibility of types, s' = S2- 
Hence, in all cases, T,x:T \- g U' : S2- Therefore, by (prod), T \- g (x:T)U f : s. 

(app) By induction hypothesis, there exists U[, U' 2 and V such that U ^* U[, 
U ^* U' 2 , V ->* V, Th g t: {x:U[)V and T \- g u : U' 2 . By confluence, there exists 
U" such that U[ ^* U" and U' 2 ^* U". By subject reduction, T \- g t : (x:U")V 
and r \- g u : U" . Therefore, by (app), V \- g tu : V'{x 1— > u}. 

(conv) By induction hypothesis, there exists T" such that T ^* T" and T \- g t : T" . 
By confluence, there exists T'" such that T" ^* T'" and T' T'" . By subject 
reduction, T \- g t : T'" . As — > is compatible with >, the symbols in T'" are strictly 
smaller than g. ■ 



Chapter 5 

Algebraic Type Systems (ATS's) 



Now, we are going to study the case of RTS's whose reduction relation is made of 
/3-reduction and rewrite rules. But, before, we must properly define what rewriting 
means in a strongly typed higher-order framework. 

In first-order frameworks, that is, within a first-order term algebra, a rewrite 
rule is generally defined as a pair I — > r of terms such that I is not a variable and the 
variables occurring in r also occur in I (otherwise, rewriting does not terminate). 
Then, one says that a term t rewrites to a term t! at position p if there exists a 
substitution a such that t\ p = la (one says that t\ p matches /) and t' = t[ra] p (the 
subterm of t at position p, la, is replaced by ra). The reader is invited to look at, 
for example, [46, 3] to get more details on first-order rewriting. 

Here, we are going to consider a very similar rewriting mechanism by restricting 
left-hand sides of rules to belong to the first-order-like term algebra generated from 
T and X. On the other hand, right-hand sides can be arbitrary. This is a particular 
the case of Combinatory Reduction System (CRS) 1 of W. Klop [79] for which it is 
not necessary to use higher- order pattern matching a la Klop or a la Miller [91, 95]. 

However, we proved in [21] that a weaker version of the termination criteria that 
we are going to present in next chapter can be adapted, in case of simply-typed 
A-calculus, to rewriting with higher-order matching a la Klop or a la Miller. It 
would therefore be interesting to try to define a notion of rewriting with higher- 
order matching in case of polymorphic and dependent types, and to study if our 
termination criteria can also be adapted to this notion of rewriting. 

Definition 55 (Algebraic terms) A term is algebraic if it is a variable or of the 
form f(t) with all the tj's themselves algebraic. We denote by T(F, X) the set of 
algebraic terms built from T and X, and by T(.F, X) the set of typable algebraic 
terms. 

Definition 56 (Rewriting) A rewrite rule is a pair of terms / — > r such that I 
is an algebraic term distinct from a variable and FV(r) C FV(Z). A rule I — > r is 
left-linear if no variable occurs more than once in I. 

1 To see this, it suffices to translate [x : T]u by A(T, [x]u), (x : T)U by IT(T, \x]U) and uv by 
@(u,v), where A, IT and @ are symbols of arity 2 and [_]_ is the abstraction operator of CRS's. 
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Given a set of rewrite rules 1Z, IZ-reduction is the smallest relation containing 
7Z and stable by substitution and context. A term of the form la with / — > r <G 1Z 
and a a substitution is an TZ-redex. 

Given a set of symbols Q, we denote by IZg the set of rules which define a symbol 
in Q, that is, the set of rules such that the head symbol of the left-hand side is a 
symbol of Q. 

A symbol / is constant if 7£{j} = 0, otherwise it is (partially) defined. We 
denote by CT the set of constant symbols and by VJ 7 the set of defined symbols. 

Definition 57 (ATS) An ATS is a pre-RTS whose reduction relation — > is of the 
form — >ti U —>p with TZ a set of rewrite rules. 

Now that we have introduced our notion of rewriting, we can wonder under which 
conditions it has the subject reduction property. 

With first-order rewriting in sorted algebras, for rewriting to preserve the sort 
of terms, it suffices that, for all rules, both sides of the rule have the same sort. 

Carried over to type systems, this condition gives : there exists an environment 
r and a type T such that V \- I : T and T \- r : T. This condition is the one which 
has been taken in all previous work combining typed A-calculus and rewriting. 

However, this condition has an important drawback. With polymorphic or de- 
pendent types, it leads to strongly non-left-linear rules. This has two important 
consequences. First, rewriting is strongly slowed down because of the necessary 
equality tests. Second, it is more difficult to prove confluence with non-left-linear 
rules. 

Let us take the example of the concatenation of two polymorphic lists in the Cal- 
culus of Constructions (S = {★, □}, A = {(*, □)} and B = {(si, S2, S3) G 5 3 | S2 = 
ss}): 

- list G J 7 ! with Tu s t = * — ► * the type of polymorphic lists, 

- nil G J 7 * with r n u = {A:-k)list{A) the empty list, 

- cons G with T cons = (A : *)A — > list(A) — > list(A) the function adding an 
element at the head of a list, 

- app G J 7 ^ with T app = (A : -k)list(A) — > list(A) — > list(A) the concatenation 
function. 

A usual definition for app is : 

- app(A,nil(A),e') -> f 

- app(A,cons(A,x, £),£') — > cons(A,x,app(A, £,£')) 

This definition satisfies the usual condition; it suffices to take T = A:*,x:A,£: 
list(A), £' :list(A) and T = list(A). But one may wonder whether it is really neces- 
sary to do an equality test between the first argument of app and the first argument 
of cons when one wants to apply the second rule. Indeed, if app(A, cons(A' , x, £),£') 
is well typed then, by inversion, cons(A' ,x,£) is of type list(A) and, by inversion 
again, list(A') is convertible to list(A). Hence, to allow the reduction even though 
A' is different from A does not seem to be harmful since list(A') is convertible to 
list(A). 
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In fact, what is important is not that the left-hand side of a rule is typable, but 
that, if an instance of the left-hand side of a rule is typable, then the corresponding 
instance of the right-hand side has the same type. We express this by requiring 
that there exists an environment T in which the right-hand side is typable, and a 
substitution p which replaces the variables of the left-hand side not belonging to T 
by terms typable typable in V. Hence, one can consider the following rules : 

- app(A,nil(A'),e') -► £' 

- app(A, cons(A' ,x, £),£') — > cons(A,x,app(A, £,£')) 

by taking T = A : *,x : A,£ : list(A),£' : list(A) and p = {A' i-> A}. In [20], 
we give 5 conditions, (SI) to (S5), which must be satisfied by the rule I — > r, T 
and p. Assume that I = f(l), Tf = (x : T)U and 7 = {x 1— > I}. Then, (SI) 
is dom(p) C FV(Z) \ dom(r) and (S2) is T h Ip : U-{p. Although these two first 
conditions are often true, they are not necessary for proving the subject reduction 
property. This is why, in the following definition, they are not written. However, 
we will see that (S2) is necessary for proving the strong normalization property (see 
Definition 81). 

Definition 58 (Well-typed rule) A rule I — > r is well-typed if there exists an 
environment V and a substitution p such that, if I = f(l), Tf = (x : T)U and 
7 = {1 h 1} then : 

(53) r h r : Ujp, 

(54) for all A, a and T, if A h la : T then a : T -» A, 

(55) for all A, a and T, if A h la : T then, for all x, xa J. xpa. 

In the following, we will write (I —> r,T, p) £ 1Z when the previous conditions are 
satisfied. 

An example using a dependent type is given by the concatenation of two lists 
of given length and the function map which, to a function / and a list a\ . . .a n , 
associates the list f{a\) . . . f(a n ) : 

- T € J-q with tt = * a type constant, 

- nai G J-J with T na t = * the type of natural numbers, 

- G J-q with To = nat zero, 

- s G with r s = nat — > nat the successor function, 

— h G with r_|_ = nat — > nat — > nat the addition on nat, 

- Zistn G .F-P with r^ stri = nat — > * the type of lists of given length, 

- mZn G Fq with r n j; n = listn(0) the empty list, 

- consn G F3 with r consn = T — > (n : nat)listn{n) — ► listn(s(n)) the function 
adding an element at the head of a list, 

- appn G F4 with T appra = (n:nat)listn(n) — ► (n' :nat)listn(n') — > listn{n + n') the 
concatenation function, 

- mapn G F3 with T mapn = (7 1 — > T) — > (n : nat)listn(n) — > listn(n) the func- 
tion which, to a function / : T — > T and a list ai . . . a n , associates the list 
/(ai).../(a n ), 
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where +, appn and mapn are denned by : 

- +(0,n') -> n' 

— \-(s(n),n') — ► s(n + n') 

- appn(0, £, n', £') -» f 

- appn(p,consn(x,n,£),n' ,£') — > consn(x,n + n' ,appn(n,£,n' , £')) 

- mapn(f, 0, £) — > £ 

- mapn(f,p,consn(x,n,£)) — > consn(fx,n,mapn(f,n,£)) 

- mapn(f,p, appn(n, £, n' , £')) — > appn(n, mapn(f, n, £),n', mapn(f, n', £')) 

For the second rule of appn, we take T = x : T, n : nat, £ : listn(n),n' : nat, £' : 
listn(n') and p={j)^ s ( n )}- This avoids checking that p is convertible to s(n). 

For the third rule of mapn, we take r = / : T — > T, n : nat, £ : listn{n),n' : nat, £' : 
listn(n') and p = {p i— > n + n'}. This avoids checking that p is convertible to n + n'. 

The reader will find other examples in Section 7.2. 

Lemma 59 (Subject reduction for rewriting) If 1Z is a set of well-typed rules 
then — preserves typing. 

Proof. We proceed as for the correctness of and only consider case (symb) : 



Let (I — > r, Tq,p) G 7£ with I = /(/), 17 = (x : T)U and 70 = {x 1— > £}. 
Assume that i = /ex. We prove that T h ru : C/7. By (S4), a : To — > T. By 
(S3), To H r : U'jop. Therefore, by substitution, r h ra : U^opa. By (S5), 
for all x, xpa and xa have a common reduct that we will call t x . Therefore, by 
successively reducing in U^fopa each xpa to t x , and in U^oa each xa to t x , we 
obtain U'jopa [ U^a. But [7700- = C/7 and, by inversion, there exists s' such 
that T h : s'. Therefore, by (conv), V \- ra : Ujoa. ■ 

Theorem 60 (Admissibility) A logical ATS whose rules are well- typed is an RTS, 
i.e. its reduction relation preserves typing. 

Proof. It is true for —>p since we assume that the ATS is logical. For —*-r, this 
comes from the correctness of rewriting. ■ 

How to check the conditions (S3), (S4) and (S5) ? In all their generality, they 
are certainly undecidable. On the one hand, we do not know whether h and j are 
decidable and, on the other hand, in (S4) and (S5), we arbitrarily quantify on A, a 
and T. It is therefore necessary to make additional hypothesis. In the following, we 
successively consider the three conditions. 

Let us look at (S3). In practice, the symbols and their defining rules are often 
added one after another (or by groups but the following argument can be general- 
ized). Let (J-,11) be a system in which h is decidable (for example, a functional, 
confluent and strongly normalizing system), / ^ T and TZf a set of rules defining / 



(symb) 



\-T f :s T valid r h h : 71 7 . . . T h t n : T n7 



r h f(t) : u 7 



(/ e n, 

T f = (x: f)U, 
7 = {x ^ t}) 
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and whose symbols belong to T' = T U {/}. Then, in (JF',7?.), h is still decidable. 
One can therefore try to check (S3) in this system. This does not seem an important 
restriction : it would be surprising if the typing of a rule required the use of the rule 
itself ! 

We now consider (S4). 

Definition 61 (Canonical and derived types) Let t be a term of the form la 
with Z = f(l) algebraic, Tf = (x : T)U and 7 = {x I}. The term U^a will be 
called the canonical type of t. 

Let p G Pos(Z) with p / £. We define the type of t\ p derived from t , r(t,p), as 
follows : 

- if p = i then r(t,p) = Tija, 

- if p = iq and q 7^ e then r(t,p) = r(ti,q). 

In fact, the type of t\ p derived from t only depends on the term just above t\ p in 

t. 

The following lemma shows that the canonical type of t and the type of t\ p 
derived from t are indeed types for t and t\ p respectively. 

Lemma 62 Let t be a term of the form la with I = f(l) algebraic and r h t : T, 
V the canonical type of t and p G Pos(Z) with p / e. In any TSM, r h t : V and 
Tht\ p : r(t,p). 

Proof. From r h t : T, by inversion, we immediately obtain r h t : V. Let us 
consider r h t\ p : r(t,p) now. As p / e, we have p = gi, t| ? of the form g(/ccr) with 
^(fc) algebraic and i| g typable in T. Assume that r 9 = (x : T){7 and 7 = {x 1— > fc}. 
Then, r(t,p) = T^a and, by inversion, r h t| p : Tj7cj. ■ 

Lemma 63 (S4) Let Z — > r be a rule and V be an environment. If, for all x G 
dom(r), there exists p x G Pos(x,Z) such that r(l,p x ) = xT, then (S4) is satisfied. 

Proof. Assume that A \- la : T. As Z is algebraic, by inversion, A h xa : 
r(la,p x ) = r(l,p x )a = xTa. ■ 

On the other hand, for (S5), we have no general result. By inversion, (S5) can 
be seen as a problem of unification modulo j*. The confluence of — > (which implies 
|*=|) can therefore be very useful. Unfortunately, there are very few general results 
on the confluence of — U -^p (see the discussion after Definition 91). On the other 
hand, one can easily prove that the local confluence is preserved. 

Lemma 64 (Local confluence) If is locally confluent on T{T, X) then — ►= 
— >tz U —>p is locally confluent on T. 

Proof. We write t — > p t' when there exists u such that t\ p — > u and t' = t[u'] p 
(reduction at position p). Assume that t t\ and t — > q t<i- We prove by induction 
on t that there exists t' such that t\ —>* t' and t2 — >* t'. There is three cases : 
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p and q have no common prefix. The reductions at p and q can be done in parallel : 
ii -* q t[, t 2 -* p t' 2 and t[ = t' 2 . 

p = ip' and q = iq' . We can conclude by induction hypothesis on 

p = e or q = e. By exchanging the roles of p and q, we can assume that p = e. 

Then, there is two cases : 

- t = [x:V}u v and t\ = u{x i— > -y}. One can distinguish three sub-cases : 
o q=llq' and V ^> q ' V . Then t' = h works. 

o q = 12q' and u u' . Then if = u'{x i-> works, 
o q = 2q' and v f'. Then t' = n{x i-> u'} works. 

- t = Id, I -» r £ K and ii = r<r. There exists an algebraic term u of maximal 
size and a substitution 9 such that t = u6 and x# = y# implies x = y (u and 9 
are unique up to the choice of variables and u has the same nondinearities than 
t). As the left-hand sides of rules are algebraic, u = la' and a = a' 9. Now, one 
can distinguish two sub-cases : 

o q £ Pos(m). As the left-hand sides of rules are algebraic, we have u — ra' 
and u — >ti v. By local confluence of — on T(JF, A"), there exists «' such that 
rcr' ^* n' and v ^* v! . Hence, t\ = ra'9 ^* u'9 and t 2 = v9 ^* u'9. 

o q = qiq' and u\ qi = x. Let q 2 , ■ ■ ■ ,q n be the positions of the other occurrences 
of x in u. If one reduces £2 at each position qiq' , one obtains a term of the 
form la' 9' where 9' is the substitution equal to 9 but for x where it is equal to 
the reduct of x9. Then , it suffices to take t' = ra'9'. ■ 
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Conditions of Strong 
Normalization 

In this chapter, we are going to give strong normalization conditions for ATS's based 
on the Calculus of Constructions. 

Definition 65 (CAC) A Calculus of Algebraic Constructions (CAC) is an ATS 
(5, X, A, B, t, TV) such that S = {*,□}, A = {(*,□)} and B = {(s 1 ,s 2 ,s 3 ) G 
S 3 | s 2 = s 3 }. 

A CAC is injective and regular. 

6.1 Term classes 

After the Separation and Classification Lemmas, typable terms can be divided into 
three disjoint classes : T°, T° and T*. For denoting them, we introduce more 
explicit notations. 

Definition 66 (Typing classes) 

- Let K = Tq be the class of predicate types . 

- Let P = T° be the class of predicates . 

- Let O = Tj; be the class of objects . 

That a well-typed term belongs to one of these classes can be easily decided by 
introducing the following syntactic classes : 

Definition 67 (Syntactic classes) 

• The syntactic class /C of predicate types : 

- * e tC, 

- if x € X, T G T and K £ K then (x:T)K £ JC. 

• The syntactic class V of predicates : 

- X n C V, 

- if x € X, T G T and P € V then (x:T)P € V and [x:T]P G V, 
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- if P G V and t G T then Pt G P, 

- if F G ^ and t 1: . . . , t n G T then F{t) G P. 
• The syntactic class O of objects : 

- X* CO, 

- if x G X, T G T and u G then [x:7> G O, 

- if u G and t G T then ui G O, 

- if / G J* and ti, . . . , t n G T then /(F) G C 

Lemma 68 Syntactic classes are disjoint from one another and each typing class is 
included in its corresponding syntactic class : K C /C, F C V and OCO. 

Proof. That the syntactic classes are disjoint from one another comes from 
their definition. We prove that if T h t : T then t belongs to the syntactic class 
corresponding to its typing class by induction on T h t : T. We follow the notations 
used in the typing rules. 

(ax) As A = {(*, □)}, we necessarily have s\ = * and S2 = □. But, ★ G IK n fC. 
(symb) By inversion and regularity, T h C/7 : s. Therefore, if / G J-* then /(t) G 

OnO, and if / G T a then /(t) ePnP. 
(var) If x G A 7 * then x G O n O, and if x G A D then x G F (~1 V. 
(weak) By induction hypothesis. 

(prod) By regularity, U and (x:T)U have the same type. We can therefore con- 
clude by induction hypothesis on U. 

(abs) By inversion and regularity, (x : T)U and U have the same type. We can 
therefore conclude by induction hypothesis on u. 

(app) By inversion and regularity, V{x 1— > u} and (x : U)V have the same type. 
We can therefore conclude by induction hypothesis on t. 

(conv) By conversion correctness, T and T' have the same type. We can therefore 
conclude by induction hypothesis. ■ 

6.2 Inductive types and constructors 

Until now we made few hypothesis on symbols and rewrite rules. However N. P. 
Mendler [90] showed that the extension of the simply-typed A-calculus with recursion 
on inductive types is strongly normalizing if and only if the inductive types satisfy 
some positivity condition. 

A base type T occurs positively in a type U if all the occurrences of T in U are 
on the left of a even number of — >. A type T is positive if T occurs positively in 
the type of the arguments of its constructors. Usual inductive types like natural 
numbers and lists of natural numbers are positive. 

Now let us see an example of a non-positive type T. Let U be a base type. 
Assume that T has constructor c of type (T — > U) — > T. T is not positive because 
T occurs at a negative position in T — ► U. Consider now the function p of type 
T — > (T — > U) defined by the rule p{c(x)) — > x. Let to = Xx.p(x)x of type T — > U . 
Then the term wc(w) of type U is not normalizable : 
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uc(u) p{c(uj))c(uj) ^ n uc(uj) 

In the case where U = *, we can interpret this as Cantor's Theorem : there is 
no surjection from a set T to the set of its subsets T — > *. In this interpretation, 
p is the natural injection between T and T — > *. Saying that p is surjective is 
equivalent to saying (with the Axiom of Choice) that there exists c such that po c 
is the identity, that is, such that p(c(x)) — > x. In [49], G. Dowek shows that such an 
hypothesis is incoherent. Here, we show that this is related to the non-normalization 
of non-positive inductive types. 

N. P. Mendler also gives a condition, strong positivity, in the case of dependent 
and polymorphic types. A similar notion, but more restrictive, strict positivity, is 
used by T. Coquand and C. Paulin in the Calculus of Inductive Constructions [39]. 

Hereafter we introduce the more general notion of structure inductive admissible . 
In particular, we do not consider that a constructor must be constant : it will be 
possible to have rewrite rules on constructors. This will allow us to formalize quotient 
types as the type int of integers : 

- int G J-q with Tint = * the type of integers, 

- E J-q with ro = int the constant zero, 

-s£ J- 1 with r s = int — > int the successor function, 

- p G T]_ with t p = int — > int the predecessor function, 

where s and p are defined by : 

- s(p(x)) — > X 

- p(s(x)) — ► X 

Definition 69 (Constructors) Let C be a constant predicate symbol. A symbol 
/ is a constructor of C if r/ is of the form (y : U)C(v) with a/ = |y|. 

Our notion of constructor not only includes the usual (constant) constructors 
but also any symbol producing terms of type C. For example : 

— h £ J 7 ^ with r+ = mi — > mt — > mi the addition on integers, 

- x G with r x = mi — > mi — > int the multiplication on integers, 

or with polymorphic lists : 

- app <G ^3 with r app = (A : ★)/isi( J 4) — > list(A) — > Zzsi(A) the concatenation 
function. 

A constant predicate symbol having some constructors cannot have any arity : 

Definition 70 (Maximal arity) A predicate symbol F is of maximal arity if rjr = 
(x : T)* and of = \x\. 

Lemma 71 Let C be a constant predicate symbol and c a constructor of C. In a 
logical CAC, if h tc : □ and h r c : s then s = * and C is of maximal arity. 
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Proof. Assume that tc = (x : V)W and r c = (y : U)C(v). Let 7 = {x i-> v}. 
As □ is a maximal sort and h rc : □, after the lemma on maximal sorts, W is of 
the form (x' : V')*. Now, from h r c : s, by inversion and regularity, on deduce that 
T c h C(w) : s, T c h C(v) : W-f and VF7 Cj^ s. As F c h VF7 : □, by conversion 
correctness, T c h s : □ and, by inversion, s = *. Therefore, after the lemma on 
maximal sorts, =0 and W = ★. ■ 

Definition 72 (Inductive structure) An inductive structure is given by : 

• a quasi-ordering >c on CJT D whose strict part >c is well-founded; 

• for every constant predicate symbol C of type (x : T)*, a set Ind(C) C {i < 
ac* I Xj € A? D } for the inductive positions of C; 

• for every constructor c, a set Acc(c) C {1, . . . , a c } for the accessible positions of 
c. 

The accessible positions denote the arguments that one wants to use in the 
right hand-sides of rules. The inductive positions denote the parameters in which 
constructors must be monotone. 

Definition 73 (Positive and negative positions) Let T G T \ O. The set of 

positive positions in T, Pos + (T), and the set of negative positions in T, Pos~(T), 
are simultaneously defined by induction on the structure of T : 

- Pos+(s) = Pos+ (F(t)) = Pos+(A) = e, 

- Pos-(s) = Pos-(F(t)) = Pos~(A) = 0, 

- Pos 5 ((x:V)W) = l.Pos-^V) U 2.Pos 5 (W), 

- Pos 5 ([x:V}W) = l.Pos(V) U 2Pos 5 (W), 

- Pos 5 (Vu) = lPos 5 (V) U 2.Pos(n), 

- Pos 5 (VU) = l.Pos^F), 

- Pos+(C(t)) = {e} U U {iPos+(ti) I i € Ind(C)}, 

- Pos" (C(t)) = [J {*-Pos" (ti) I i G Ind(C)}, 

where (5 G {—,+}, — h = — , = + (usual rule of signs). The set of neutral 

positions in T is Pos°(T) = Pos + (T) n Pos~(T). The set of non-neutral positions 
in T is Pos^°(T) = (Pos+(T) U Pos _ (r)) \ Pos°(T). 

The positive and negative positions do not form two disjoint sets. Their inter- 
section forms the neutral positions. For example, all the positions of u in Vu or 
all the positions of V in [x : V]W are neutral. We will see in Section 8.3 that these 
subterms are not taken into account into the interpretation of a type. 

In [20], we give 6 conditions, (II) to (16), for defining what is an admissible 
inductive structure. But we found that (II) can be eliminated if we modify (12) a 
little bit. That is why, in the following definition, there is no (II) and (12) is placed 
after (16). 

Definition 74 (Admissible inductive structures) An inductive structure is 
admissible if for all constant predicate symbol C, for all constructor c of type (y : U) 
C{v) and for all j G Acc(c) : 
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(13) VD € CT n , D = c C => Pos(D, Uj) C Pos + (E/,-) (symbols equivalent to C must 
be at positive positions), 

(14) MD € CT n ,D > C C => Pos(D,Uj) C Pos°(E/,-) (symbols greater than C must 
be at neutral positions), 

(15) VF € P^" n ,Pos(F, £7j) C Pos°(Uj) (defined symbols must be at neutral posi- 
tions), 

(16) VFe FV n ([/j),3iy < ac,v Ly = Y (every predicate variable in Uj must be a 
parameter of C) , 

(12) V7£ FV D (U j ),L Y € Ind(C) =► Pos(y,f/ j ) C Pos+ ([/,-) (every predicate vari- 
able in C/j which is an inductive parameter of C must be at a positive position). 

For example, lnd(list) = {1}, Acc(mZ) = {1} and Acc(cons) = {1,2,3} is an 
admissible inductive structure. Assume we add : 

- tree <G Tq with Tt re e = * the type of finite branching trees, 

- node £ J 7 ^ with T noc i e = list(tree) — > tree its constructor. 

Since 1 G Ind(Zzst), if Ind(tree) = and Acc(nocte) = {1} then we still have an 
admissible structure. 

To allow greater or defined symbols does not matter if these symbols are at 
neutral positions since neutral subterms are not taken into account into the inter- 
pretation of a type. 

The condition (16) means that the predicate arguments of a constructor must be 
parameters of their type. A similar condition appears in the works of M. Stefanova 
[108] ("safeness") and D. Walukiewicz [118] ("★-dependency"). On the other hand, 
in the Calculus of Inductive Constructions (CIC) [99], there is no such restriction. 
However, because of the typing rules of the elimination scheme, no very interesting 
function seems to be definable on a type not satisfying this condition. 

For example, let us take the type of heterogeneous non empty lists (in the CIC 
syntax) : 

- listh = Ind(X : *){Ci|C 2 } where d = (A:*)(x:A)X and C 2 = (A:*)(x:A)X -» 
X, 

- endh = Constr(l, listh), 

- consh = Constr(2, listh). 

The typing rule of the non dependent elimination scheme (Nodep*,*) is : 

r h t : listh r h Q : * r h h ■ Ci{listh, Q} T h f 2 : C 2 {Usth, Q} 
n-EZim(^Q){/i|/ 2 }:Q 

where Ci{listh,Q} = (A:*)(x : A)Q and C 2 {listh,Q} = (A:*)(x : A)listh -> Q -> 
Q. So, Q, /i and / 2 must be typable in T. The result of f\ or / 2 cannot depend on 
A or x. This means that, for example, it is possible to compute the length of such 
a list but one cannot extract an element of such a list. We think that the length of 
such a list is an information that can surely be obtained without using such a data 
type. 
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We can distinguish several kinds of inductive types. 

Definition 75 (Primitive, basic and strictly positive predicates) 

A constant predicate symbol C is : 

- primitive if for all D =e C, for all constructor d of type (y : U)D(w) and for all 
j G Acc(d), Uj is either of the form E(i) with E <c D and E primitive, or of the 
form E(t) with E = c D. 

- basic if for all D =c C, for all constructor d of type (y : U)D(w) and for all 
j G Acc(d), if E =c D occurs in Uj then Uj is of the form E(t). 

- strictly positive if for all D =c C, for all constructor d of type (y : U)D(w) and 
for all j G Acc(d), \i E =c D occurs in Uj then ?7j is of the form (z : V)E(t) and 
no I?' =c D occurs in the V^'s. 

It is easy to see that a primitive predicate if basic and that a basic predicate is 
strictly positive. The type listn of lists of length n is primitive. The type list of 
polymorphic lists is basic and not primitive. 

The strictly positive predicates are the predicates allowed in the Calculus of 
Inductive Constructions (CIC). For example, the type of well-founded trees or 
Brouwer's ordinals : 

- ord G J-q with T or( i = * the type of Brouwer's ordinals, 

- G with To = ord the ordinal zero, 

- s G with t s = ord — > ord the successor ordinal, 

- Urn G T\ with Tum = (not — > ord) — > ord the limit ordinal. 1 

Another example is given by the following process algebra which uses a choice 
operator S other some data type data [107] : 

- data G ,F° with T^ata = * a data type, 

- proc G ^q 1 with T proc = * the type of processes, 

- o G with r = proc — > proc — > proc the sequence, 

— h G T°2 with t + = proc — ► proc — ► proc the parallelization, 

- 5 G with t<5 = proc the deadlock, 

- Se with te = (data — > proc) — > proc the choice operator. 

A last example is given by the first-order predicate calculus : 

- term G T§ with Tt erm = * the type of terms, 

- form G Fq with Tf orm = * the type of formulas, 

- V G with t v = form — > form — > form the "or" , 

- -i£ Ji with t^ = /orm — > /orm the "not" , 

1 A term of type ord does not necessary correspond to a true ordinal. However, if one carefully 
chooses the functions / for the limit ordinals then one can represent an initial enumerable segment 
of the true ordinals. 
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- V € J 7 * with ry = (term — > form) — > form the universal quantification. 

For the moment, we do not forbid non-strictly positive predicates but the con- 
ditions we will describe in the next section do not allow one to define functions by 
recursion on such predicates. 

Yet these predicates can be useful as shown by the following breadth-first label 
listing function of binary trees defined with the use of continuations [88] : 

- tree G J 7 ^ with Ttree = * the type of binary labeled trees, 

- L G T\ with tl = nat — > tree the leaf constructor, 

- N G ^3 with tn = nat — > tree — > tree — > tree the node constructor, 

- cont G with T con t = * the type of continuations, 
-De Tq with to = cont, 

- C G T\ with re* = ((cont — > /ist) — > /ist) — > cont its constructors, 

- @ G T\ with r@ = cont — > (cont — ► list) — ► Zzst the application on continuations 
defined by : 

- @(D,g)^gD 
-@(C(f),g)^f g 

- ex G with r ea; = cont — ► list the iterator on continuations defined by : 

- ex(D) — > m/ 

- ex(C(f)) — > / [A; : cont] ex (A;) 

- 6r G .T-J with Tf, r = tree — > cont — ► cont, 

- br_fst G with T^jst = tree — ► Zist the breadth-first label listing function 
defined by : 

- br_fst(t) -► ex(br(t,D)) 

- br(L(x),k) C([g:cont ^ list]cons(x,@(k, g))) 

- br(N(x, s,t), k) C([g:cont ^ list]cons(x 1 @(k 1 [m:cont]g br(s,br(t,m)))) 

This function is strongly normalizable since it can be encoded into the polymor- 
phic A-calculus [86, 87]. However, it is not clear how to define a syntactic condition, 
a schema, ensuring the strong normalization of such definitions. Indeed, in the right 
hand-side of the second rule defining ex, ex is explicitly applied to no argument 
smaller than /. However ex can only be applied to subterms of reducts of /. But 
not all the subterms of a computable term are a priori computable (see Subsec- 
tion 6.3.2). 

6.3 General Schema 
6.3.1 Higher-order rewriting 

Which conditions on rewrite rules would ensure the strong normalization of — >=— >n 
U — >a ? Since the works of V. Breazu-Tannen and J. Gallier [26] and M. Okada 
[97] on the simply-typed A-calculus or the polymorphic A-calculus, and later the 
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works of F. Barbanera [4] on the Calculus of Constructions and of D. Dougherty 
[47] on the untyped A-calculus, it is well known that adding first-order rewriting 
to typed A-calculi preserves strong normalization. This comes from the fact that 
first-order rewriting cannot create new /3-redexes. We will prove that this result can 
be extended to predicate-level rewriting if some conditions are fulfilled. 

However, there are also many useful functions whose definition do not enter 
the first-order framework, either because some arguments are not primitive (the 
concatenation function app on polymorphic lists), or because their definition uses 
higher-order features like the function map which, to a function / and a list a\ . . . a n 
of elements, associates the list f{a\) . . . f(a n ) : 

- map £ T% with T map = (A:*)(B :*)(A -> B) -> list(A) -> list(B) 

- map(A, B, f, nil (A 1 )) -> nil(B) 

- map(A, B, f,cons(A' ,x,£)) — > cons(B, fx,map(A,B, f,£)) 

- map{A, B, /, app(A', £, £')) -> app(B, map{A, f, £), map{A, f, £')) 

This is also the case of recursors : 

- natrec G T\ with T na trec = (A:*) A — > (nat — ► A — ► A) — > nat — > A the recursor 
on natural numbers 

- natrec(A, x, f, 0) — ► x 

- natrec(A, x, f, s(n)) — > / n natrec(A, x, f, n) 

- plus G with r p ; MS = nat — > nat — > nat the addition on natural numbers 

- plus ^ \p:nat][q:nat]natrec(nat,p, [q' :nat][r:nat]s(r),q) 

and of induction principles (recursors are just non-dependent versions of the corre- 
sponding induction principles) : 

- natind € T\ with T nat i n d = (P '■ na t ~^ *)P0 — > ((n : nat)Pn — > Ps{n)) — > (n : 
nat)Pn 

- natind(P, ho,h s ,0) — > no 

- natrec(P, ho,h s , s(n)) —> h s n natind(P, ho,h s , n) 

The methods used by V. Breazu-Tannen and J. Gallier [26] or D. Dougherty 
[47] cannot be applied to our calculus since, on the one hand, in contrast with 
first-order rewriting, higher-order rewriting can create /?-redexes and, on the other 
hand, rewriting is included in the type conversion rule (conv), hence more terms are 
typable. But there exists other methods, available in the simply-typed A-calculus 
only or in richer type systems, for proving the termination of this kind of definitions : 

• The General Schema, initially introduced by J. -P. Jouannaud and M. Okada [74] 
for the polymorphic A-calculus and extended to the Calculus of Constructions 
by F. Barbanera, M. Fernandez and H. Geuvers [7], is basically an extension of 
the primitive recursion schema : in the right hand-side of a rule f(l) — > r, the 
recursive calls to / must be done on strict subterms of I. It can treat object-level 
and simply-typed symbols defined on primitive types. It has been reformulated 
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and extended to strictly positive simple types by J.-P. Jouannaud, M. Okada and 
myself for the simply-typed A-calculus [23] and the Calculus of Constructions [22]. 

• The Higher-Order Recursive Path Ordering (HORPO) of J.-P. Jouannaud and A. 
Rubio [76] 2 is an extension of the RPO [100, 45] for first-order terms to the terms 
of the simply-typed A-calculus. It has been recently extended by D. Walukiewicz 
[118] to the Calculus of Constructions with polymorphic and dependent symbols 
at the object-level and with basic types. The General Schema can be seen as a 
non-recursive version of HORPO. 

• It is also possible to look for an interpretation of the symbols such that the in- 
terpretation of a term strictly decreases when a rule is applied. This method, 
introduced by J. van de Pol for the simply-typed A-calculus [116] extends to the 
higher-order the method of the interpretations known for the first-order frame- 
work. This is a very powerful method but difficult to use in practice because the 
interpretations are themselves of higher-order and also because it is not modular : 
adding new rules or new symbols may require finding new interpretations. 

For dealing with higher-order rewriting at the predicate-level together with poly- 
morphic and dependent symbols and strictly positive predicates, we have chosen to 
extend the method of the General Schema. For first-order symbols, we will use other 
conditions like in [74, 7]. 

6.3.2 Definition of the schema 

This method is based on Tait and Guard's method of reductibility candidates [111, 
64] for proving the strong normalization of the simply-typed and polymorphic A- 
calculi. This method consists of defining a subset of the strongly normalizable terms, 
the computable terms, and in proving that each well-typed term is computable. 
Indeed, a direct proof of strong normalization by induction on the structure of 
terms does not go through because of the application case : if u and v are strongly 
normalizable then it is not clear how to prove that uv is also strongly normalizable. 

The idea of the General Schema is then, from a left hand-side f(l) of a rule, 
to define a set of terms, the computable closure , whose elements are computable 
whenever the /j's are computable. Hence, to prove the termination of a definition, it 
suffices to check that, for each rule, the right hand-side belongs to the computable 
closure of the left hand-side. 

To build the computable closure, we first define a subset of the subterms of the 
li's that are computable whenever the l^s are computable : the accessible subterms 
of the /j's (a priori not all the subterms of a computable term are computable). 
Then we build the computable closure by closing the set of the accessible variables 
of the left hand-side with computability-preserving operations. 

For most interesting functions, we must be able to accept recursive calls. And 
to preserve strong normalization, recursive calls must decrease in a well-founded 

2 This generalizes the previous works of C. Loria-Saenz and J. Steinbach [80], O. Lysne and J. 
Piris [83] and J.-P. Jouannaud and A. Rubio [77]. 
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ordering. The strict subterm relation > (in fact, restricted to accessible subterms for 
preserving computability) is sufficient for dealing with definition on basic predicates. 
In the example of map, I and £' are strict accessible subterms of app(A' ,£,£'). But, 
for non-basic predicates, it is not sufficient as examplified by the following "addition" 
on Brouwer's ordinals : 

— h € J~2 with r + = ord — > ord — > ord, 

- +(x,0) -» x 

- +(ar,a(y)) -» s(+(x,y)) 

— \-(x,lim(f)) — > lim([n:nat] + (x,fn)) 

Another example is given the following simplification rules on the process algebra 
proc [107] : 

- +(p,p) ^p 

- +{p,S) ^p 

- o(S(/),p)->S([d:data]o(/d,p)) 

This is why, in our conditions, we will use two distinct orderings. The first one, 
>i, will be used for the arguments of basic type and the second one, >2, will be 
used for the arguments of strictly-positive type. 

Finally, for finer control over comparing the arguments, to each symbol we will 
associate a status describing how to compare two sequences of arguments by a simple 
combination of lexicographic and multiset comparisons [75] . 

Definition 76 (Accessibility relations) Let c be a constructor of type (y : U) 
C(v), u be arguments of c, 7 = {y 1— ► u} and j € Acc(c) be an accessible position of 
c. Then : 

• Uj : U is weakly accessible modulo p in c(n) :T, c(u) :T >*[ Uj : U, if Tp = C{v)^p 
and Up = Ujjp. 

• Uj\U is strongly accessible modulo p in c(u) :T, c{u) : T \> p 2 Uj : U, if Tp = C(v)jp, 
Up = Ujjp and Uj is of the form (x : T)D(w). 

We can use these relations to define the orderings >i and >2- We have — ^l- 
For technical reasons, we take into account not only the terms themselves but also 
their types. This comes from the fact that we are able to prove that two convertible 
types have the same interpretation only if these two types are computable. This 
may imply some restrictions on the types of the symbols. 

Indeed, accessibility requires the equality (modulo the application of p) between 
canonical types and derived types (see Definition 61). More precisely, for having 
t : T >i u : U , T must be equal (modulo p) to the canonical type of t and U must 
be equal (modulo p) to the type of u derived from t. In addition, if u : U >i v : V 
then U must also be equal (modulo p) to the canonical type of u. 
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Definition 77 (Precedence) A precedence is a quasi-ordering >jr on T whose 
strict part >jr is well-founded. We will denote by =jr its associated equivalence 
relation. 

Definition 78 (Status) Let (xj)j>i be an indexed family of variables. 

Status. A status is a linear term of the form lex(m\, . . . , m^) with k > 1 and each 

rrii of the form mul(xk 1 , . . . ,Xk p ) with p > 1. The arity of a status stat is the 

greatest indice i such that Xj occurs in stat. 
Status assignment. A status assignment is an application stat which, to each 

symbol / of arity n > and type (x : T)U, associates a status statf = lex(m) of 

arity smaller than or equal to n such that : 

- if Xi G FV (statf) then Tj is of the form Cj(u) with Cj a constant predicate 
symbol, 

- if nii = mul(x kl ,. . . ,x kp ) then Cy 1 =c ■ ■ ■ =c C f p . 

Strictly positive positions. Let / be a symbol of status lex(m). We will de- 
note by SP(f) the set of indices i such that if mi = mul{x kl ^ . . . ,x kp ) then C^ 1 

(therefore also Cj 2 , • • • , Cj P ) is strictly positive. 
Assignment compatibility. A status assignment stat is compatible with a prece- 
dence >jr if : 

- / =jf g implies statf = stat g and, for all i, C| C l g . 

Status ordering. Let > be an ordering on terms and stat = lex(m) be a status of 
arity n. The extension by stat of > to the sequences of terms of length at least 
n is the ordering > s t a t defined as follows : 

- u >stat v if rh{x h-> u} (> m )i cx fh{x i-> v), 

- mul(u) > m mul(v) if {u} > mu \ {v}. 

For example, if stat = lex(mul[x2), mul(xi, X3)) then u > s tat v\i ({^2}, {^l, ^3}) 
(>mui)icx ({^2}, {^1, ^3})- An important property of > s tat is that it is a well-founded 
ordering whenever > so is. 

We now define the orderings >i and >2- 

Definition 79 (Ordering on the arguments of a symbol) Let R = (I r, 

Tq,p) be a rule with / = /(/), Tf = (x : T)U, 70 = {x 1— > and statf = lex(rh). 

• t : T >i u : U if t : T (>f)+ tx : 17. 

• t : T > 2 it : ?7 if : 

- t is of the form c(t) with c a constructor of type (x : T)C(v), 

- u is of the form xu with x G dom(ro), xTq of the form (y : U)D(w) and D =c C, 
-t:T (>£)+ x : F with = xr . 

Now, we define the ordering > on the arguments of / (in fact the pairs argument- 
type u : U). This is an adaptation of > statf where the ordering > is >i or >2 
depending on the type (basic or strictly positive) of the argument. Assume that 
statf = lex(mi, . . . , m^). Then : 

• u > v if rh{x 1 ^ u} (> 1 , . . . , > fe )i cx fh{x 1— > v}, 
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• mul(u) > l mul(v) if {u} (>^)) mu i {v} with >^ ( - ) => 2 Hi £ SP(f) and >^ ( - ) => 1 
otherwise. 

One can easily check that, in the third rule of the addition on ordinals, lim(f) : 
ord >2 fn : ord. Indeed, for this rule, one can take Tq = x : ord, f : not — > ord 
and the identity for p. Then, / G dom(To), T(lim(f), l)p = /Tq = nat — ► ord and 
lim(f) : ord >2 / : na * — * or ^- 



Figure 6.1: computable closure of (/(/) — > r, Tq,p) 
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Definition 80 (Computable closure) Let R = (I — > r,To,p) be a rule with / = 
/(/), Tf = (x : T)f7 and 70 = {x 1— > /}. The computable closure of -R w.r.t. a 
precedence >jr and a status assignment stai compatible with >jr is the smallest 
relation \- c Q £ x T x T defined by the inference rules of Figure 6.1. We will denote 
by 1-^5 the restriction of \~ c to the rules distinct from (symb = ) 

One can easily check that if T \- c t : T then T = Tq, T'. And also that h c Ch s and 
^ C \- f . 

It is important to note that the computable closure can easily be extended by 
adding new inference rules. For preserving the strong normalization, it suffices to 
complete the proof of Theorem 146 where we prove that the rules of the computable 
closure indeed preserve the computability. 

Definition 81 (Well-formed rule) Let R = (I — > r, Tq, p) be a rule with / = f(l), 
Tf = (x : T)U and 70 = {x 1— > /}. The rule R is well-formed if : 

- T h Ip : U 70/?, 

- for all x G dom(Fo), there exists i such that U : T^q (>1)* x : xTq, 

- dom(p) n dom(r ) = 0. 

For example, consider the rule : 

appn(p,consn(x,n,£),n',£') — > consn(x,n + n' , appn(n, £,n' ',£')) 

with Tq = x :T, n : nat,£:listn(n),n' :nat, £' :listn(n') and p = {p 1— > s(n)}. We have 
Tq \- Ip : listn(p + n')p. For x, we have consn(x,n,£) : listn(p) x : T. One can 
easily check that the conditions are also satisfied for the other variables. 

Definition 82 (Recursive system) Let R = (I — > r, To, p) be a rule with / = /(/), 
Tf = (x : T)f7 and 70 = {x 1— > /}. The rule satisfies the General Schema w.r.t. a 
precedence >jr and a status assignment stai compatible with >^r if R is well-formed 
and r h r : U -y p. 

A set of rules 1Z is recursive if there exists a precedence >jf and a status as- 
signment s£at compatible with >jr for which every rule of TZ satisfies the General 
Schema w.r.t. >jf and stat. 

Remark 83 (Decidability) A priori , because of the rule (conv) and of the condi- 
tion \- T g : s for the rules (symb < ) and (symb = ), the relation may be undecidable. 
On the other hand, if we assume h r 9 : s and restrict the rule (conv) to a confluent 
and strongly normalizing fragment of — ► then \- c becomes decidable (with an algo- 
rithm similar to the one for h). In practice, the symbols and the rules are often 
added one after the other (or by groups, but the argument can be generalized). 

Let ( J-, 7Z) be a confluent and strongly normalizing system, / ^ T and TZf a set 
of rules defining / and whose symbols belong to T' = {/}. Then {T 1 , TZ) is also 
confluent and strongly normalizing. Thus we can check that the rules of TZf satisfy 
the General Schema with the rule (conv) restricted to the case where T |«r T'. This 
does not seem a big restriction : it would be surprising that the typing of a rule 
requires the use of the rule itself! 
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Before to give a detailed example, we are going to show several properties of \- c . 
Indeed, to show ro h c r : Ujop, knowing that by (S3) we have To H r : Ujop, one 
can wonder whether it is possible to transform a derivation of Tq h r : U^qp into a 
derivation of Tq \- c r : U^yop. The best thing would be that it is sufficient that the 
symbols in r are smaller than / and that the recursive calls are made on smaller 
arguments. We prove hereafter that it is sufficient when there is no recursive call. 

Definition 84 A rule I — > r is compatible with >jr if all the symbols in r are smaller 
than or equivalent to I. A set of rule 1Z is compatible with >jr if every rule of TZ is 
compatible with >j?. 

Lemma 85 Assume that TZ and r are compatible with Let T be an environ- 
ment with variables distinct from those of To- If T \-f t : T then Tq, T 1^5 t : T. 

Proof. By induction on T hj t : T. ■ 

Lemma 86 (Substitution for h c ) If r ,r h c < t : T and 9 : T ,T -> r ,r' in h c 
(resp. in h c <) then r ,r' h c tO : T9 (resp. T ,T' h< tO : TO). 

Proof. By induction on T , T h c < t : T. ■ 

Lemma 87 If TZ and r are compatible with >jf, — ► is confluent and the symbols of 
To are strictly smaller than / then, for all x G dom s (ro), To xTq : s. 

Proof. Assume that Tq = y : U and that yi is of sort Sj. We show by induction 
on i that, for all j < i, Tq \-< Uj : Sj. If i = 0, this is immediate. So, assume that 
i > 0. By induction hypothesis, for all j < i, To ^ C/,- : Sj. So, we are left to show 
that Tq 1^5 Ui : Si. 

Let r = yi : U±, . . . ,yi-i : t/j-i, z be i - 1 fresh variables, # = {y i— > i*}, 
(9' = {z ^ y} and r' = z : C/(9. By (S3), T is valid. So, by the Environment 
Lemma, T \- Ui : Si. Since — > is confluent and the symbols in T are strictly smaller 
than /, by Lemma 54, r hj Ui : Sj. By Replacement, T' hj : Sj. Therefore, by 
Lemma 85, ro,r' U{9 : Sj. 

Now we show that 9' : Tq,T' — > To in h^. < . For this, it is sufficient to show that, 
for all j < i, Tq Zjtf' : Uj99', that is, To : ?7j. By induction hypothesis, for 

all j < i, Tq 1-^5 [/j : Sj. Thus, by (acc), To yj : Uj. So, 9' : T' — > To in 1-^5 and, 
by Lemma 86, To 1^5 t/j : Sj. ■ 

Lemma 88 If TZ and r are compatible with >jr, — > is confluent and To,r \-j t :T 
then r ,r h c < t : T. 

Proof. By induction on the size of T. Assume that To,r = y : U. Let z be 
\y\ fresh variables, 9 = {y i— > i*}, 6 1 ' = {i* i— > y} and A = z : t/#. By Replacement, 
Ah f t9:T9. By Lemma 85, r , A h c < td : T0. Now we show that 0' : r , A -> r , T 
in in order to conclude with Lemma 86. 

We must show that, for all x G dom(r ,A), r ,r h c < x9' : x(T ,A). If x G 
dom(ro) then we have to show that To,r 1-^5 x : xFo, and if x = Z{ G dom(A) 
then we have to show that To,r \-< yi : U. So, it is sufficient to show that To,r 
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is valid in 1-^5 . If T is empty, this is immediate since, by Lemma 87, To is valid in 
\- c K . Assume now that T = T' ,y:U . Then, A = A',z : U9. By the Environment 
Lemma, ro,r" \~ f U : s. By induction hypothesis, ro,r" \~ C K U : s. Therefore, by 
(var), To, T\-< y :U and Tq, T is valid in h^, < . ■ 
A particular but useful case is : 

Corollary 89 If TZ and r are compatible with >jr and — > is confluent then, for all 
9 <T f, if b T g : s then r b c < T g : s. 

Proof. Since r is compatible with >jr and — > is confluent, by Lemma 54, 
hj r 9 : s. Thus, by Lemma 85, Tq T g : s. ■ 

Now, we can detail an example. Let us consider the rule : 

appn{p,consn{x,n,£),n' ,£') — > consn(x,n + n' ,appn(n,£,n' ,£')) 

with ro = x : T, n : nat, £:listn{n),n' : nat, : listn(n') and p = {p i— ► s(n)}. We take 
stat appn = lex(mul(x2)); appn >jr consn, +; consn >jr T and + >jr s,0 >jr nat. 
We have already seen that this rule is well formed. Let us show that Tq \- c r : 
listn(s(n)). We have 1Z and r compatible with >jr. 

For applying (symb<), we must show h T consn : T Q h c r consn : r h x : T, 
Tq \- c n + n' : nat and To appn(n, £, n', £') : listn(n + n'). It is easy to check that 
b Tconsn ■ *■ Then, by Lemma 89, we deduce that To he T con sn '■ *■ The assertions 
ro b; x : T and To b n + n' : nat come from Lemma 88. We are left to show that 
To b appn(n,£,n',£ r ) : listn(n + n'). 

For applying (symb = ), we must show that b T a pp n '. ~k : Tq T a pp n '. t*t, Tq h^ 
n : nat, Tq \- c £ : listn(n), Tq \- c n' : nat, To b; ^' : listn(n') and consn(x,n, £) : 
listn(s(n)) >i £ : listn(n). It is easy to check that b r appn : *. Then, by Lemma 89, 
we deduce that To bi r appn : The assertion consn(x,n,£) : listn(p) >i £ : listn(n) 
has already be shown for proving that the rule is well formed. The other assertions 
come from Lemma 88. 

6.4 Strong normalization conditions 

Definition 90 (Rewrite systems) Let Q be a set of symbols. The rewrite system 
(G,Tlg) is : 

• of first- order if : 

- Q is made of predicate symbols of maximal arity or of constructors of primitive 
predicates, 

- the rules of TZg have an algebraic right hand-side; 

• non- duplicating if, for all rule of TZg, no variable has more occurrences in the right 
hand-side than in the left hand-side; 

• primitive if all the rules of TZg have a right hand-side of the form [x : T\g(u)v 
with g a symbol of Q or a primitive predicate; 

• simple if there is no critical pairs between cRg and TZ : 
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- no matching on denned symbols, 

- no ambiguity in the application of rules; 

• small if, for all rule g(l) — > r <G TZg and all X G FV n (r), there exists kx such 
that l Kx = X; 

• positive if, for all symbol g & G and all rule I — > r G 7£g, Pos(<7, r) C Pos + (r); 

• sa/e if, for all rule (g(l) — > r, T, p) G 7£g with r g = (x : T)U and 7 = {x i— > /} : 

- for all X G FV n (ff7), A 7 /> G dom D (r), 

- for all X, X' G FV D (f [/), A 7 p = A' 7 p =>X = X'. 

Definition 91 (Strong normalization conditions) 
(AO) All rules are well typed. 

(Al) The relation — > = — >ft U —>p is confluent on T. 
(A2) There exists an admissible inductive structure. 

(A3) There exists a precedence >z on VT U with which TZvt° is compatible and 
whose equivalence classes form a system which is either : 

(p) primitive, 

(q) positive, small and simple, 
(r) recursive, small and simple. 

(A4) There exists a partition T\\£Tu of T>T (first-order and higher-order symbols) 
such that : 

(a) (J-'ojjTZu,) is recursive, 

(b) (FujTlw) is safe, 

(c) no symbol of occurs in the rules of TZ i: 

(d) (^"1,7^1) is of first-order, 

(e) if / then (!Fi,7li) is non duplicating, 

(f) —*Ki is strongly normalizing on T(T\,X). 

The condition (Al) ensures, among other things, that /^-reduction preserves 
typing while (AO) ensures that rewriting preserves typing. One can wonder whether 
confluence is necessary for proving that /3-reduction preserves typing. H. Geuvers 
[58] has proved this property for the conversion relation C = ^>*p r) (instead of C = [pn 
here) while — >p n is not confluent on not well-typed terms. M. Fernandez [54] has 
also proved this property for C = U with ^7^. being some rewriting at the 
object level only, without assuming that — is confluent. But this last result uses 
in an essential way the fact that rewriting is restricted to the object level. It is not 
clear how it can be extended to rewriting on types. 

One should remember that hy p othesis ( Al ) and ( A3 ) are useful only in case of 
typ e-level rewritin g. 

The condition (Al) can seem difficult to fulfill since one often proves confluence 
using strong normalization and local confluence of critical pairs (result of D. Knuth 
and P. Bendix [18] for first order rewriting extended to higher-order rewriting by T. 
Nipkow [95]). 
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We know that — ^ is confluent and that there is no critical pair between TZ and 
the /3-reduction since the left hand-sides of the rules of TZ are algebraic. 

F. Miiller [92] has shown that, in this case, if — is confluent and all the rules 
of TZ are left-linear, then -^n U -^p is confluent. Thus, the possibility we have 
introduced, of linearizing some rules (substitution p) while keeping subject reduction, 
appears to be very useful. 

In the case of left-linear rules, and assuming that — is strongly normalizing 
as it is required in (f), how can we prove that — > is confluent? In the case where 
-^TZi is non duplicating if TZ W ^ 0, we show in Theorem 144 that — ^ U —>n^ is 
strongly normalizing. Therefore, it suffices to check that the critical pairs of TZ are 
confluent (without using any /3-reduction) . 

In (A4), in the case where TZ W ^ 0, we require that the rules of 1Z\ are non- 
duplicating. Indeed, with first-order rewriting already, strong normalization is not 
a modular property [114], even with confluent systems [53]. On the other hand, it 
is modular for disjoint and non duplicating systems [104]. Here, TZ\ and TZ U are 
not disjoint but hierarchically defined : by (c), no symbol of T w occurs in the rules 
of 1Z\. In [43], N. Dershowitz gathers many results on the modularity of strong 
normalization for first-order rewrite systems, especially for hierarchically defined 
systems. It would be very interesting to study the modularity of strong normalization 
in the case of higher-order rewriting and, in particular, other conditions than non- 
duplication which, for example, does not allow us to accept the following definition : 

0/y - 
s(x)/y -» s((x-y)/y) 

0-y -> 
s(x) — — > s(x) 
s(x) - s(y) -> x-y 

This system is a duplicating first-order system not satisfying the General Schema: 
it can be put neither in TZ\ nor in TZ^. E. Gimenez [61] can deal with this example 
by using the fact that the result of x — y is smaller than s(x). 

In (A3), the smallness condition for recursive and positive systems is equivalent 
in the Calculus of Inductive Constructions to the restriction of strong elimination to 
"small" inductive types, that is, the types whose constructors have no other predicate 
arguments than the ones of their type. For example, the type list of polymorphic 
list is small since, in (A:*) A — > list(A) — > list(A), the type of its constructor cons, 
A is an argument of list. On the other hand, a type T having a constructor c of 
type * — > T is not small. So, we cannot define a function / of type T — > * with the 
rule f(c(A)) — > A. Such a rule is not small and does not form a primitive system 
either. In some sense, primitive systems can always be considered as small systems 
since they contain no projection and primitive predicate symbols have no predicate 
argument. 



74 



CHAPTER 6. CONDITIONS OF STRONG NORMALIZATION 



Finally, in (A4), the safeness condition for higher-order symbols means that one 
cannot do matching or equality tests on predicate arguments that are necessary 
for typing other arguments. In her extension of HORPO [76] to the Calculus of 
Constructions, D. Walukiewicz [118] requires a similar condition. She gives several 
(pathological) examples of non termination because of non-safeness like J (A, A, a) — > 
a with J : (A:*)(B:*)B -> A or J(A,A,a,b) -» b with J : (A:*)(B:*)A -> B -> 
A. On the other hand, the rule map(A, A, [x : A]x, I) — > £, which does not seem 
problematic, does not satisfy the safeness condition either (note that the left hand- 
side if not algebraic). 

We can now state our main result : 



THEOREM : If a CAC satisfies the conditions of Definition 91 then its reduc- 
tion relation —>=^n U —>[3 preserves typing and is strongly normalizing. 

The proof of this theorem is the subject of Chapter 8. This generalizes the results 
of M. Fernandez [54] and of J. -P. Jouannaud, M. Okada and myself [22]. In Chap- 
ter 7, we give several important examples of CAC's satisfying these conditions : an 
important subsystem with strong elimination of the Calculus of Inductive Construc- 
tions (CIC) and the Natural Deduction Modulo (NDM) a large class of equational 
theories. 

On the other hand, these conditions do not capture the decision procedure for 
classical propositional tautologies of Figure 1.3. Let us see why : 

- We did not consider rewriting modulo associativity and commutativity. 

- Since the system is not left-linear, we do not know how to prove the confluence 
of its combination with (3. 

- The system is not primitive since there are projections (Pxor_L — > P). It is 
recursive (and positive also) and small. Unfortunately, it is not simple. 

Rewriting modulo AC does not seem to be a difficult extension, except perhaps 
in the case of type-level rewriting. On the other hand, confluence and simplicity 
are problems which seem difficult but we expect to solve them in the future. In 
Section 9, we give other directions for future work but these three problems are 
certainly the most important ones. 

From strong normalization, we can deduce the decidability of the typing relation, 
which is the essential property on which proof assistants like Coq [112] and LEGO 
[82] are based. 

Theorem 92 (Decidability of h) Let T be a valid environment and T be □ or 
a term typable in V. In a CAC satisfying the conditions of Definition 91, checking 
whether a term t is of type T in V is decidable. 

Proof. Since V is valid, it is possible to say whether t is typable and, if so, it is 
possible to infer a type T' for t. Since types are convertible, it suffices to check that 
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T and T' have the same normal form. The reader is invited to look at [35, 11] for 
more details. ■ 

Remark 93 (Logical consistency) 

In the pure Calculus of Constructions (CC), it is easy to check that, in the empty 
environment, no normal proof of _L = (P : *)P can exist [10]. Therefore, for CC, 
strong normalization is sufficient for proving the logical consistency. 

On the other hand, in a CAC, the situation is not so simple. From a logical 
point of view, having symbols is equivalent to working in a non empty environment. 
Therefore, it is possible that symbols and rules allow one to build a normal proof 
of _L. In [106], J. Seldin shows the logical consistency of the "strongly consistent" 
environments 3 by syntactical means. However, for proving the consistency of more 
complex environments, it may be necessary to use semantic methods. 



3 An environment F is strongly consistent if, for all x £ dom(T), either xT is a predicate type, or 
xT is /3-equivalent to a term of the form yt. 
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Chapter 7 

Examples of CAC's 



7.1 Calculus of Inductive Constructions (CIC) 

We are going to show that our conditions of strong normalization capture most 
of the Calculus of Inductive Constructions (CIC) of B. Werner [119] which is the 
basis of the proof assistant Coq [112]. But, since CIC is expressed in a formalism 
different from ours, we need to translate CIC into our formalism in order to check 
our conditions. It is a little bit long and painful but not very difficult. 

In order to type the strong elimination schema in a polymorphic way, which is 
not possible in the usual Calculus of Constructions, B. Werner uses a slightly more 
general type system with the sorts S = {*, □, A}, the axioms A = {(*,□),(□, A)} 
and the rules B = {(si, S2, S3) € S 3 \ si € {*, □}, S2 = S3} (in fact, he denotes * by 
Set, □ by Type and A by Extern). 

Then he adds terms for representing inductive types, their constructors and the 
definitions by recursion on these types : 

• inductive types : An inductive type is denoted by I = Ind(X :A){C} where the 
Cj's are the types of the constructors of I. For example, Nat = Ind(X :*){X,X — > 
X} represents the type of natural numbers (in fact, any type isomorphic to the 
type of natural numbers). The term A must be of the form (x : A)* and the Cj's 
of the form (z : B)Xm with X £ FV(m). Furthermore, the inductive types must 
be strictly positive. In CIC, this means that, if Cj = (z : B)Xfh then, for all j, 
either X does not appear in Bj, or Bj is of the form {y : D)Xq and X does not 
appear neither in D nor in q. 

• constructors : The i-th constructor of an inductive type I is denoted by 
Constr(i, I). For example, Constr(l, Nat) represents zero and Constr(2, Nat) 
represents the successor function. 

• definitions by recursion : A definition by recursion on an inductive type / is 
denoted by Elim(I, Q, a, c) where Q is the type of the result, a the arguments of 
I and c a term of type la. The strong elimination (that is, in the case where Q 
is a predicate type) is restricted to "small" inductive types, that is, the types 
whose constructors do not have predicate arguments that their type do not have. 
More precisely, an inductive type / = Ind(X : A) {C} is small if all the types 
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of its constructors are small and a constructor type C = (z : B)Xm is small 
if {z} n X D = (this means that the predicate arguments must be part of the 
environment in which they are typed; they cannot be part of C). 

For defining the reduction relation associated with Elim, called i-reduction 
and denoted — > t , and the typing rules of Elim (see Figure 7.1), it is necessary to 
introduce a few definitions. 

Let C be a constructor type. We define A{I, X, C, Q, c} as follows : 

- A{I, X, Xrh, Q, c} = Qrhc 

- A{I,X, (z:B)D,Q,c} = {z:B)A{I,X,D,Q,cz} if X <£ FV(B) 

- A{7, X, (z : B)D, Q, c} = (z: B{X » I})((y: D)Q q(zy)) - A{7, X, D, Q, cz} 
HB = {y:D)Xq 

The i-reduction is defined by the rule : 

Elim(I,Q,x,Constr(i,I')z){f} -> t A[I,X,d, f u FunElim(I,Q, /)] z 

where I = Ind(X : A){C}, FunElim(I,Q, f) = [x:A][y:Ix]Elim(I,Q,x,y){f} and 
A[I,X, C, f, F] is defined as follows : 

- A[I,X,Xm,f,F] = f 

- A[J, X, (z : B)D, f, F] = [z: B]A[I, X, D, fz, F] if X <£ FV(B) 

- A[I,X,(z:B)D,f,F] = [z:B{X^I}]A[I,X,D, fz[y:D](Fq(zy)),F] 
HB = (y:D)Xq 

Finally, in the type conversion rule (conv), in addition to /3-reduction and i- 
reduction, B. Werner considers r/-reduction : [x:T]ux u if x FV(tt). Since — >p v 
is not confluent on badly typed terms 1 , to consider 77-reduction creates important 
difficulties [58]. Therefore, since our condition (Al) cannot be satisfied with rj- 
reduction, we cannot consider 77-reduction. To find a condition weaker than (Al) 
that would be satisfied even with 77-reduction is a problem that we have temporally 
left open. 

The i-reduction as defined above introduces many /3-redexes and the recursive 
calls on Elim are made on bound variables which must be instanciated by strict 
subterms (or terms of smaller order in case of a strictly positive inductive type). 
So, on one hand, from a practical point of view, this is not very efficient since 
these instanciations could be done immediately after the i-reduction, and on the 
other hand, the General Schema cannot directly deal with recursive calls on bound 
variables, even though these variables must be instanciated with smaller terms. 

This is why we are not going to show the strong normalization of the relation 
— >£ t but of the relation where one step of — v corresponds to a i-reduction 

followed by as many /3-reductions as necessary for erasing the /3-redexes introduced 
by the i-reduction. Note that this is indeed this reduction relation which is actually 
implemented in the Coq system [112]. 

Definition 94 (i'-reduction) The l' -reduction is the reduction relation defined by 
the rule : 

Remark due to R. Nederpelt [93] : [x: A]x p^- [x : A]([y : B]y x) [y:B]y. 
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(Ind) 
(Constr) 



(*-Elim) 



(□-Elim) 
(Conv) 



Figure 7.1: Typing rules of CIC 

A = (x : A) * ThA:a Vi, I\ X : A h C { : * 
r h Jnd(X:A){C} : A 

/ = Ind(X:,4){C} rh/:T 
r h Constr (i, I) : C;{X^/} 

A=(x:A)* / = /nd(X:,4){C} 

r h Q : (x : A)Ix -»• * 
Tj = A{7, X, Ci, Q, Constr(i, I)} 
7 = {f h a} Vj, r h aj : Aj7 T h c : /a Vi, T h /j : Tj 

T h Elim(I, Q, a, c){/} : Qac 

A = (x : -A) ★ 7 = ind(X : A){C} is small 
rhQ:(f: l)7x -» □ 
2} = A{7, X, Ci, Q, Constr(i, I)} 
7 = {£ a} Vj, r h aj : A i7 T h c : la Vi, T h £ : TJ 

r h Elim(I, Q, a, c){/} : Qac 

rht :T T <-^ t T' r h T' : s 
r h t : T' 



Elim(I,Q,x,Constr(i,I') z){f} - 4 , A'[J, X, C, f t , Q, f, z] 

where I = Ind(X : A){C} and A' [I, X, C, /, Q, /, z] is defined as follows : 

- A'[/,X,Xm,/,Q,/,0] = / 

- A'[/,X, (z:B)D,f,Q,f,zz\ = A'[I,X,D,fz,Q,z\ if X i ¥\{B) 

- A'[/,X, (z:B)D,f,Q,f,zz\ = A'[I,X,D,fz [y:D]Elim(I,Q,q,zy),Q,z\ 
ifB = (y:D)Xq 

We think that the strong normalization of — implies the strong normalization 
of — But, since this problem does not seem very easy to solve and is not directly 
related to our work, we leave its resolution for the moment. 



Conjecture 95 If —fpj is strongly normalizing then —>p L is strongly normalizing. 

Definition 96 (Admissible inductive type) An inductive type I = Ind{X : A) 
{C} is admissible if it satisfies the conditions (15), (16) (adapted to the syntax of 
CIC, a strong elimination being considered as a defined predicate symbol) and the 
following safeness condition : if A = (x : A)* and Cj = [z : B)Xrh then : 

- Vxi € X D , mi € X n , 

- \/xi,Xj G X n , mi = frij %i = Xj- 
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Definition 97 (CIC ) The sub-system of CIC that we are going to consider, 
CIC - , can be obtained by applying the following restrictions : 

• We exclude any use of the sort A in order to stay in the Calculus of Constructions. 

• In the rule (Ind), instead of requiring / = Ind(X : A){C} to be typable in any en- 
vironment r, we require / to be typable in the empty environment since, in CAC, 
the types of the symbols must be typable in the empty environment. Moreover, 
we require I to be admissible and in normal form. 

The restriction to the empty environment is not a real restriction since any 
type / = Ind(X : A){C} typable in an environment T = y : U can be replaced 
by a type I' = Ind{X' : A'){C'} typable in the empty environment : it suffices 
to take A' = (y: U)A, C[ = (y : U)Ci{X i-> X'y} and to replace I by I'y and 
Constr{i,I) by Constr(i, I')y. 

But we need to adapt the definition of small constructor type as follows : a 
constructor type C of an inductive type I = Ind{X :A){C} with A = (x : A)* is 
small if it is of the form (x : A)(z : B)Xfh with {z} n X D = 0. 

• In the rule (*-Elim), instead of requiring Q to be typable in any environment T, 
we require Q to be typable in the empty environment. Moreover, we explicitly 
require / and T; L = A{I, X, Ci,Q, Constr(i, I)} to be typable. 

• In the rule (D-Elim), instead of requiring h Q : (x : A)Ix — > □, which is not possi- 
ble in the Calculus of Constructions, we require Q to be of the form [x :A][y: Ix]K 
with x : A,y:Ix\- K : □ and to be of type Tj = A'{/, X, C{,xy, K, Constr(i, I)} 
where A'{7, X, C, xy, K, c} is defined as follows : 

- A' {I, X, Xm, xy, K, c} = K{x i— > rh, y \— > c}, 

- if B = (y : D)Xq then A'{I,X,(z : B)D,xy,K,c] = (z : B{X ^ /})((*/: 
D)K{x ^q,y^ zy}) -> A' {I, X, D, xy, K, cz}. 

Moreover, we require Q to be in normal form, T; L to be typable and the 
inductive types that occur in Q to be subterms of /. Finally, we take V h 
Elim(I, Q, a, c){/} : K{x \— > a, y i— > c} instead of T h Elim(I, Q, a, c){/} : Qac. 

Requiring Q to be of the form [x:A][y:Ix]K is not a real restriction since, as 
shown by B. Werner (Corollary 2.9 page 57 of [119]), if F h Q : □ then there exists 
Q' of the form (y : U)* such that Q ^ Q' . Hence, if h Q : (x : A)Ix — > □ then 

x : A, y : Ix h Qxy : □. Therefore, there exists Q' of the form (y : U)* such that 
Qxy Q' . Then, [x :A][y: Ix]Qxy —^^ [x : A] [y : Ix]Q' and [x : A] [y : Ix]Qxy — >* 

Q. Therefore, by confluence, there exists Q" of the form [x:A][y:Ix\(y:U')* such 
that Q ()". 

On the other hand, requiring the inductive types occurring in Q to be subterms 
of / is a more important restriction. But it is only due to the fact that we restrict 
ourself to the Calculus of Constructions in which it is not possible to type the 
strong elimination schema in a polymorphic way (that is why B. Werner used a 
slightly more general PTS). 

• In the rule (conv), instead of requiring T *-**p„ L T', we require T T' which is 
equivalent to T T' since —*$ b i is confluent (orthogonal CRS [79]). 

We will denote by — m 4 ' the reduction relation of CIC - , by NT the set of CIC - 
terms in normal form for — >p L > (unique by confluence), by t [ the normal form of t, 
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and by h the typing relation of CIC (see Figure 7.2). 

Figure 7.2: Typing rules of CIC 



(Ind) 
(Constr) 



O-Elim) 



(□-Elim) 
(Conv) 



A = (x:A)* \~A-.a X : A\- Ci : * 
I = Ind{X:A){C] G NT is admissible 

FTTa 

I = Ind(X:A){C} T h / : T 
r h Constr (i, I) : d{X^I} 

A=(x:A)* I = Ind(X : A){C} T h I : T 
h Q : (x : A)Ix -> * 
Ti = A{/,X,Ci,<5,Constr(i,/)} hT;:* 
7 = {fMa) Vj, r h Oj : A i7 rhc:/a Vi, T h ft : 

r h Elim(I, Q, a, c){/} : Qac 

,4 = (£:!)* 7 = Ind(X:A){C} 
Q = [x:A][y:Ix\K e NT x : A,y : Ix h K : □ 

the inductive types of Q are subterms of 7 
^ = A'{7, X, d,xy, K, Constr(i, I)} h T t : □ 
7 = {x i— > a} Vj, r h aj : A,-7 T h c : 7a Vi, T h /j : Tj 

T h Elim(I, Q, a, c){/} : 7C{x h->o,!/hc} 

r h i : T T ^* t , T' r H T' : s 
r h t : T' 



Theorem 98 There exists a CAC T (with typing relation h T and reduction relation 
— ►) satisfying the conditions of Definition 91 and a function (_) which, to a CIC~ 
term, associates a T term such that : 

- if rht :Tthen (r) h T (i) : (T), 

- moreover, if t —>p t i t' then (t) ^ + (t f ). 

Hence, is strongly normalizing in CIC - . 

Definition 99 (Translation) We define (t) on the well-typed terms, by induction 
on T h t : T : 

• Let 7 = Ind(X:A){C} with A = (x : A)*. We take (7) = [x: {A)]Indj(x) where 
Indi is a symbol of type (A). 

• By hypothesis, d L = (z : B)Xm. We take (Constr(i,I)) = [z:{B)6'}Constr{(z) 
where 9' = {X i-> (7)}, Constrj is a symbol of type (z:B')Indj((fh)), B'- = (Bj) 
if X does not occur in Bj, and Bj = (y: (D))Indj((q)) if Bj = (y:D)Xq. 

• Let Q be a term not of the form [x : A][y : Ix]K with K = (y : U)*. We 
take (Elim{I , Q , a, c){/}) = WElimi({Q), (a), (c), (/)) where WElimj is a sym- 
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bol of type (Q : (x : (1)) (7)x -> *)(£ : (l))(y : </>£)(/: (f))(Q)xy and 7- = 
A{7, X, Q, Q, Constr(i, I)}. 

• Let Q be a term of the form [x : A][y : Ix]K with K = (y : U)*. We take 
{Elim{I,Q,a,c){f}) = S Elimj ((a) , (c), (/}) where SElimj is a symbol of type 
(x:(A))(y:(7)x)(/: (f))(K), T t = A'{I,X,C t , xy, K, Constr(i, I)}. 

• The other terms are defined recursively : (uv) = (u) (v) , . . . 

Let T be the CAC whose symbols are those just previously defined and whose rules 
are : 

WEli mi {Q,x,Con S trl(z)J) -> A' W [I, X, Q, ft, Q, f, z] 
SElimQ{x,Constrl(z)J) - A' 5 [7, X, Q, Q, /, z] 

where A^[i", X, C, f, Q, f, z\ and A' S [I, X, C, f, Q, f, z\ are defined as follows : 

- A' W [I, X, Xrh, f, Q, f, z\ = A' S [I, X, Xm, f, Q, f, z\ = f, 

- A' S [I, X, (z : B)D, f, Q, f, zz] = A' S [I, X, D, f z, Q, f, z\ 

and A' W [I, X, (z : B)D, f, Q, f, zz] = A' W [I, X, D, f z, Q, f, z] if X <£ FV(B) 

- A' s [I,X,(z : B)DJ,Q,f,zz\ = A' S [I, X, D, f z [y : D]SElimf (f,q, zy),Q, f, z] 
and A' W [I,X, (z:B)D,f,Q,f,zz\ = 

A' W [I, X,D,fz [y: D]WEli mi (Q, f, q, zy), Q, f, z\ if B = (y: D)Xq 

Since -^p L > is confluent, the /3-reduction has the subject reduction property in 
T. This will be useful for proving that the translation preserves typing : 

Lemma 100 If V h t : T then (r) h T (t) : (T). 

Proof. By induction on T h t : T. 

(Ind) We have to prove that H T (/) : (A). We have (I) = [x : (A)]Indj(x) with 
Indi of type (A) = (x : {A))*. Since h A : □, by induction hypothesis, we have 
\- r (A) : □, that is, KfT/^ : □. By inversion, we get x : (A) h T * : □. Therefore, 
r = x : (A) is valid and, by the Environment Lemma and (weak), for all i, 
r \~ T Xi : (Ai). Hence, by (symb), T \~ r Indi(x) : * and, by (abs), T \~ r {I) ■ {A). 

(Constr) We have to prove that (r) \~ r {Constr(i, I)) : (Ci6) where 9 = {IhJ}. 
We have d = (z : B) Xm, (Constr (i, I)) = [z: (B)0'}Constrl(z), 6' = {X i-> 
(/)}, Constrj of type (z : B')Indi((fn)), B'- = (Bj) if X does not occur in Bj, 
B'- = (y : (5»7nd J ((g)) if B j = (y:D)Xq, (dO) = = (z: (B)9')(I)(fn) and 

(/} = (x:(^))/ndj(x). 

Hence, (I) (in) -^>*p Indi((rh)). Moreover, if X does not occur in Bj then 

Bj = (Bj) = (Bj)e'. If Bj = (y: D)Xq then Bj = (y : (D))Ind I ((q)) and 
(Bj)0' = (y:(D))(I)(q). Since, (I)(q) ^* Ind^q}), for all j, (Bj)6' B'-. 

Since r h I : T, by induction hypothesis, (r) l- T (7) : (T) and (r) is valid. By 
inversion, h 7 : A and X : A h Cj : By inversion again, X : A, z : i? h Ira : *. 
By induction hypothesis, l~ T (7) : (A) and X : (A),z : (B) \- r X(rh) : *. By 
substitution, z : (B)O' \- r (I)(rh) : *. Therefore, A = z : (B)O' is valid. Since 
(B)O' — >*p B', by subject reduction on the environments, A' = z : B' is also valid. 
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Therefore, z : B' h T (7}(m) : * and, by (prod), \~ r (z : B')Indj((rh)) : *, that is, 

^r T Constr( : *■ 

By the Environment Lemma and (conv), for all j, A \~ T Zj : B'-. Therefore, 
by (symb), A h T Constrj(z) : Indj((rn)) and, by (abs), \- r (Constr(i,I)) : (z : 
(7?)0')7nd 7 ((m)). Finally, by (conv) and (weak), (r) h r (Constr(i, I)) : {Crf). 
(*-Elim) We have to prove that (r) \- r {Elim(I, Q,a, c){/}) : (Qac). We have 
{Elim{I,Q,a,c){f}) = WElim I {(Q),{a),(c),{f)), WElimi of type {Q:(B))(x: 

(A) )(y:Ix)(f: (f))(Q)xy, B = (x : A)Ix - *, Tj = A{7, X, Q, Q, Constr{i, I)} 
and (Qac) = {Q)(d){c). In order to apply (symb), we prove that (1) (r) \~ r {Q) ■ 

(B) , (2) (r> h T <3> : (1)7', (3) (r) h T (c) : (7)* 7 ', (4) (T) h T (/) : (f) 7 ' and 
(5) hfrvKBHmj : *, where i = {Q ^ (Q), x i-> (a), y i-> (c), / i-> (/}}. First of all, 
note that, since r h c : 7a, by induction hypothesis, (r) H T (c) : (7a) and (r) is 
valid. 

(1) Since h Q : B, by induction hypothesis, \- r (Q) : (S). Therefore, by weakening, 

(r)h r (g):<B>. 

(2) Since T \- aj : Aj^y, by induction hypothesis, (r) \~ r {aj) : (Ajj). But (-Aj7) = 
(Aj)i since FV(Aj) C {x}. 

(3) Since T h c : 7a, by induction hypothesis, (r) h T (c) : (7a). But (7a) = 
(7) (a) = (7)x 7 '. 

(4) Since r h ft : T u by induction hypothesis, <r) h T (/i) : (Tj). But (T$i = (Tj) 
since Tj is closed (h Tj : *). 

(5) Let A = Q : : (A),(y : (7)x) and A' = A,/: (f). We prove that A' 
is valid. Indeed, in this case, A' \~ r (Q)xy : * and, by (prod), H T rvK£;«jmj : *■ 
We have h T (Q) : (B). Therefore, h r (B) : □. By (var), Q : (B) \~ T Q : (B). 
By inversion, Q : (B),x : (A),y : (I)x h T * : □ and A is valid. Let Aj = 
A, /i : (Ti),...,/j : (Tj). We prove by induction on i that Aj is valid. If 
i = 0, this is immediate. We now prove that if Aj is valid then Aj + i is valid 
too. Since h T (Tj + i) : by weakening, Aj h T (Tj + i) : *. Therefore, by (var), 
Aj+i \~ r fi+i ■ 7j + i and A i+ i is valid. 

(□-Elim) We have to prove that (r) \- r {Elim(I,Q,a,c){f}) : (K). We have 
(Elim(I,Q,a,c){f}) = SElim^((a),(c),(f)), SElim® of type (x: (A))(y :Ix)(f: 
{T))(K) and Tj = A'{7, X, d, Q, Constr(i, I)}. In order to apply (symb), we 
prove that (1) (r> h T (a) : (A) 7 >, (2) <r> h T (c) : (7)x 7 ',j3) (r) h T (/) : (f) 7 ' and 
(4) \- r T S Eii mi ■ D , where 7' = {f ^ (a),y i-> (c),/ i-> (/)}. First of all, note that, 
since The: 7a, by induction hypothesis, (r) H T (c) : (7a) and (r) is valid. 

(1) Since T \- cij : Ajj, by induction hypothesis, (r) \~ r (aj) : (Ajj). But (Ajj) = 
(Aj)-/' since FV(Aj) C {x}. 

(2) Since The: 7a, by induction hypothesis, (r) H T (c) : (7a). But (7a) = 
(7)(a) = (7)fy. 

(3) Since F h ft : T u by induction hypothesis, <r) h r (ft) : (Tj). But (Tj) 7 ' = (Tj) 
since T L is closed (h Tj : □). 

(4) Let A = x : (A),y: (I)x and A' = A,/: (f). We have A h T (7Q : □. We 
prove that A' is valid. Indeed, in this case, by weakening, A' h T (K) : □ and, 
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by (prod), h r T S EU mi ■ *■ Let A; = A, /i : (Ti },..., f\ : (Ti). We prove by 
induction on i that Aj is valid. If i = 0, this is immediate. We now prove 
that if Aj is valid then Aj+i is valid too. Since h T (Tj + i) : □, by weakening, 
Aj h T (r i+ i) : □. Therefore, by (var), A i+ i \~ T fi + i : T i+1 and A i+ i is valid. 

The other cases can be treated without difficulties. ■ 

Lemma 101 The rules of T are well typed. 

Proof. We have to prove that the rules of T satisfy the conditions (S3) to (S5). 
We just see the case of WElimj(Q,x,Constrj(z), f) — > A' W [I, X,d, fi,Q, f , z\. 
The case of SElimf(x, Constrj (z),f) -» A' S [I, X, d,f h Q, /, z\ is similar. Let B = 
(f : A)Ix -> *. We have T WElimi = (Q : (B))(x : (A))(y : (I)x)(f : (f))Qxy, 
Ti = A{I,X,Ci,Q,Constr(i,I)}, d = (z : B)Xm, Bj = ($> : &)Xq> if X € 
FV(^), r Constr} = (z : B')Indj((m}), B> = (Bj) if X £ FY(Bj), B>. = : 
(&))Indi(((p)) otherwise, and Ti n d, = (x : (A))*. Let / = WElimi(Q,x,c, f), 
r = A' w [I,X,Ci, fi,Q, f,z\, c = Constrj (z) and 7 = {y i-> c}. We take T = Q : 
(B),z:B'J:(f) and p = {x i-> (m)}. 

(52) We have to prove that T h T r : Q(rh)c. We have r = A' w [I, X, d, fc, Q, /, z\ 
and Ti = A{I,X,Ci,Q, Constr(i, I)}. There is no difficulty. 

(53) We have to prove that if A h T /cr : T then a : T -> A. We have A h 
T WElimj(Qa,xa, Constrj (za), fa) : T. Then, by inversion, we deduce that 
A h T Qcr : (B)a, A h T za : B'a and A h T /<r : (f)cj, that is, <r : T -» A. 

(54) We have to prove that if A \~ r la : T then, for all x, xpa [ xa. By inversion, 
we have A h T ca : (I)xo and Indi((rh)a) C*^ (I)xo. Now, (I)xa — >^ Indi(xa). 
Therefore, Indi((m)a) C* Indi(xa) and, by confluence, Indj({rh)a) [ Indj(xa). 
Since Indi is constant and (fh)a = xpa, we get xa | x/jcj. ■ 

Lemma 102 The rules of T are well formed. 

Proof. Let us see the case of WElimj(Q, x, Constrj (z), f) — > A' W [I, X, d, fi, Q, 
f, z\. The case of SElimj (x, Constrj (z), f) — > A^[J, X, Cj, /j, Q, /*, ^ is dealt with 
similarly. Let B = (x : A)Ix -» We have T = Q : (B),z:B',f: (f) and 
p = {x 1— >• (m)}. We have to prove that each variable x <G dom(r) is weakly 
accessible in one of the arguments of WElimj, that xT is equal to Tp where T is 
the type of x derived from I and that T \~ r lp : (Qxy)jp. 

The accessibility is immediate for Q and /. The Zj's are weakly accessible since 
all the positions of a constructor are accessible (see the definition of Acc(C 'onstrj)) . 
The type of Zj derived from / ia B'- which does not depend on x. Therefore, B'-p = 
B>= Zj T. ' ' ■ _ 

Let us see V \~ r lp : (Qxy) r yp now. We have Ip = WElimj(Q, (rh), Constrj(z), f) 
and (Qxy)'yp = Q{rh)c. For applying (symb), we must prove (1) \- r TwEUmi '■ *j 
(2) r h T Q : (B), (3) T h T (m) : {A)p, (4) T h T c : (7)(m) and (5) T h T / : (f). 

Let us prove first of all that T is valid. Note that WElimj is defined only if 
there exists a well-typed term of the form Elim(I,Q' ,a,c'){f}. And, in this case, 
we have h Q' : B and h T : *. Therefore, h 5 : □ and \~ T (B) : □. Hence, 
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Q: (B) is valid. Moreover, if WElimj is well defined then Indi is also well denned, 
and therefore Constrf too. But, we have proved in the previous lemma that, in 
this case, \- r T Constr i : *. By weakening, Q : (B) h r r Cons(r / : *. By inversion, 

Q:(B),z:B' \- r Indi({rh)) : * and Q:(B),z:B' is valid. Finally, as h f : *, h T (f) : ★ 
and, by weakening, Q : (B), z:B' \~ r {T) : *. Therefore T is valid. 

(1) Already proved in the previous lemma. 

(2) By the Environment Lemma. 

(3) From z:B' \- r Indj((fh)) : *, by inversion, we deduce that z:B' h T (m) : (A) p. 
Therefore, by weakening, T h T (m} : (A) p. 

(4) As T \- r z:B', by (symb), T h T c : Indi((m)). Moreover, (I)(rh) Indj((m)). 
After (3), T \- r (fh) : (A) p. Therefore, by (app), T \- r (I)(rh) : * and, by (conv), 
rh T c:(i)(m). 

(5) By the Environment Lemma. ■ 

Lemma 103 T satisfies the conditions of strong normalization of Definition 91. 
Proof. 

(AO) After the previous lemma. 

(Al) We have already seen that — > is confluent. 

(A2) For the inductive structure, we take : 

- Indj >c Ind j if J is a strict subterm of / is a well-founded quasi-ordering, 

- Ind(Jndj) = 0, 

- Acc(Constrj) = {1, . . . , n} where n is the arity of Constrf. 

We prove that this inductive structure is admissible. Let C be a constant pred- 
icate symbol. Then C = Indj with / = Ind(X :A){C} and A = (x : A)*, and 
C is of type (x : (A))*. Let c = Constrj be one of the constructors of C. By 
hypothesis, Q = (z : B)Im and = (yi:3i)Xq> if A € FV(-Bj). Therefore 
c is of type with B'- = (Bj) if X (£ FV(Bj-), and Bj = (j? : {&))C{{^)) 

with X ^ FV(-D J g ? ) otherwise. Let v = rh, j E Acc(c) and C/j = B'-. 

(13) VD G C^" n , D = c C Pos(D, Uj) C Pos+ (£/,-)■ Necessary, D = C. Either 
X £ FV(Bj) and Pos(C,[/ j ) = 0, or £, = {y:D)Xq and A g FV(Z% In 
every case, Pos(C, Uj) C Pos + (LX,). 

(14) VL> G CF n ,L> > c C Pos(D,^j) £ Pos ^-)- If D = Indj > c C = 
Indi then / is a strict subterm of J. Therefore, J cannot occur in / and 
Pos(£>, Uj) = 0. 

(15) VF G VT n , Pos(F, [/,-) C Pos°(E7 J -)- By hypothesis on the types of CIC - . 

(16) VY G FV n (C/ j ),3iy < a c ,v lY = Y. By hypothesis on the types of CIC". 
(12) VY G FV n (f/ j ), i Y G Ind(C) Pos(Y, Uj) C Pos+([/ j ). Since Ind(C) = 0. 

(A3) For >;, we take the equality. We prove that the rules defining SElimf form 
a system which is : 

- recursive : We prove this for all the symbols. 

- small : We have SElimf (x,Constrj{z) J) -» A' s [I,X,d,fi,Q,f,z\. We 
will denote by I the arguments of SElimf and by r the right hand-side of the 
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rule. We have to prove that, for all X G FV D (r), there exists a unique kx such 
that l Kx = X. We have FV n (r) = {/} U ({z} n X D ). For /_,-, this is immediate. 
For Zj £ A? D , this comes from the restriction of the strong elimination to small 
inductive types : z = xz! with {z 1 } n X n = 0. 
- simple : 

(Bl) The symbols occurring in the arguments of WElimj or SElimf are 
constant. 

(B2) At most one rule can be applied at the top of a term of the form 
WElimj (Q, a, c, f) or SElimf (a,c, f). 

( A4) We have T\ = 0. Therefore, we just have to check the conditions (a) and (b) : 

(a) (T, 7Z) is recursive : Let us see the case of WElimj(Q, x, Constrj (z), /) — > 
A' w [I,X,Ci, fi,Q, f,z\. We will denote by I and r the left hand-side and 
the right hand-side of this rule. The case of SElimf (x, Constrl (z), f) -> 
A' S [I, X, d, fi, Q, /, z\ is similar. 

For the precedence >jf, we take WElimj >jr WElimj, WElimi >jr 
SElirrij, SElimj >jr WElimj and SElimi >jr SElimf if J is a strict 
subterm of /, and all the defined symbols greater than the constant symbols. 

For the status, we take statwEUmi = lex(mul(xk)) where k is the posi- 
tion of the argument of type (I)x. We do the same for SElimj. Such an 
assignment is clearly compatible with >jr. 

We have to check first that the rule is well formed. We have T = Q : 
(B),z: B',f : (T) and p = {x i— > (rh)}. We have to prove that each x G 
dom(r) is weakly accessible in one of the arguments of WElimj and that xT 
is equal to Tp where T is the type of x derived from I. This is immediate 
for Q and /. The z/s are weakly accessible since all the positions of a 
constructor are accessible (see the definition of Acc(C onstr[)) . The type of 
Zj derived from I is B 1 - which does not depend on x. Therefore, B'-p = B'- = 
ZjT. 

We now show that r belongs to the computable closure of I, that is, 
r \- c r : Q(fh)c where c = Constrj(z). First of all, note that TZ and r are 
compatible with This is clear for TZ. For r, this is due to our restriction 
on SElimf : the inductive types of Q are subterms of /. Hence, by the 
Lemmas 89 and 87, we have r xT : s for all x € dom s (r), and T \- c r g : s 
for all g <js WElimj. Hence, we easily check that T \- c r : Q{rh)c. 

(b) {F,K) is safe : Let TU the sequence (Q), (A), (I)x, (f), Qxy. We have to 
prove : 

-Vie FV D (f U), X 1P G dom n (r), 

- MX, X' € FX n (TU), X 7 p = X' 1P => X = X' . 

We have FV D (TU) = {Q} U {x} n X n , Qjp = Q € dom n (r) and x, nP = 
(mi). Therefore the previous properties are satisfied thanks to the safety 
condition on inductive types. ■ 



We are now left to prove that the translation reflects the strong normalization 
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Lemma 104 If V h t : T and t -» /Jt # t' then (t) -►+ (t'). 



Proof. By induction on T h t : T. 
(Ind) Since 7 <G AAjF, no reduction is possible. 

(Constr) Since T h 7 : T, by inversion, 7 £ NT and no reduction is possible. 

(★-Elim) We have (t) = WElim^Q), (a), (c), (/}). Since T h 7 : T, by inversion, 
7 € NT and no reduction is possible in 7. If Q —*/3i' Q' then, since h Q : (x : 
A)Ix — > by induction hypothesis, (Q) ^ + (Q') and (i) (i'}. If a — ^ a' 
then, since T h a : Ay, by induction hypothesis, (a) (a'} and (t) ^ + (t'}. 
Finally, if c — c' then, since T h c : 7a, by induction hypothesis, (c) (c') 
and (t) ^+ (t'}- 

(□-Elim) We have (t) = SElimf((a),(c),(f)). Since T h 7 : T, by inversion, 
7 € NT and no reduction is possible in 7. Since Q G AAjF, no reduction is 
possible in Q. If a -^>p t > a! then, since T h a : A7, by induction hypothesis, 
(a) ^ + (a'} and (t) ^ + (t'). Finally, if c — > / g t / d then, since T h c : 7a, by 
induction hypothesis, (c) ^ + (c'} and (t) ^ + (t'). 

The other cases can be treated without difficulties. ■ 



7.2 CIC + Rewriting 

We have just seen that most of the Calculus of Inductive Constructions is for- 
malizable as a CAC. We are going to see that we can add to this CAC rewrit- 
ing rules that are not formalizable in CIC. Take the symbols nat : *, : nat, 
s : nat — > nat, +, x : nat — > nat — > nat, Zist m/ : (A : *)list(A), 

cons : (A : *)A -> Zzst(A) -> Zist(A), app : (A : -k)list(A)) -> Zzst(A) -> list(A), 
len : (A : *)Zzst(A) — > nat the length of a list, in : (A : *)A — > list(A) — > * the 
membership predicate, mcZ : (A : *)Zist(^4) — ► list(A) — > ★ the inclusion predicate, 
su& : (A:*)Zist(A) — > Zzst(A) — > * the sublist predicate, eg : (-A:*)A — > A — > * the 
polymorphic Leibniz equality, T : * the proposition ever true, _L : * the proposition 
ever false, -1 : * — > *, V, A : * — > ★ — ► and the following rules : 



x + — > x xxO ^ 

+ x ^ x Oxi ^ 

x + s(y) — > s(x + y) x x s(y) — > (x x y) + x 

s(x)+y — > s(x + y) s(0) x x — > x 

(x + y) + z — > x + (y + z) x x s(0) — > x 

-nT ^ _L PVT ^ T PAT ^ P 

-n± ^ T PV1 ^ P PA1 ^ 1 
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eg(A,0,0) - 
eq{A,0,s(x)) 

eg(A, s(x),0) -> 

e<?(A,s(x),s(y)) -> 

app(A,nil(A'),£) -> 
app(A, cons(A' , x, £), £') — > 

len(A,nil(A')) -> 
len(A,cons(A',x,£)) — > 
ien(A,app(A',^,^)) -► 

m(A, x, mZ(A')) — > 
m(A, x, cons(A', y, Z)) — > 
su6(A,raiZ(A'),Z) 
su6(A, coras(A', x, Z), mZ(A")) 
su6(A, cons(A', x, Z), cons(A", x', /')) 

incl(A, cons(A' , x, Z), Z') 

eg(L,mZ(A),mZ(A')) 
eg(L, mZ(A), cons(A', x, Z)) 
eq(L, cons(A', x, Z), niZ(A)) 
e(/(L, cons(A, x, Z), cons(A', x', Z')) 



T 
_L 
_L 

eq(nat, x, y) 
£ 

cons(A, x, app(A, £, £')) 
app(A,£,app{A, £',£")) 



s(ten(A,£)) 
len(A,£) + len(A,£') 

_L 

eg(A, x, y) V m(A, x, Z) 
-» T 
-* 1 

-»■ (eg(A, x, x') A su6(A, Z, I')) 

Vsub(A, cons(A, x, Z), I') 
-» T 

— »■ m(A,x, Z') Aincl(A,l,l') 

-» T 

-»• _L 

-4 1 

-> eg(A,x,x') A eq(list(A),l,l') 



This rewriting system is recursive, simple, small, safe and confluent (this can be 
automatically proved by CiME [33]). Since the rules are left-linear, the combination 
with — >g is also confluent. Therefore, the conditions of strong normalization are 
satisfied. 

In particular, we will remark the last rule where T = A : *, x : A, x' : A,£ : 
list(A) , £' : list(A) and p = {A' i— > A, L Zzsi(A)}. It is well formed : for example, 
cons(A' , x 1 , £') : L |>J x' : A'. And it satisfies the General Schema : {cons(A, x, £) : 
L,cons(A',x',£') : L] (>f) mu i {x : A,x' : A},{^ : Zist(A),f : Zist(A)}. 

However, the system lacks several important rules to get a complete decision 
procedure for classical propositional tautologies (Figure 1.3) or other simplification 
rules on the equality (Figure 1.4). To accept these rules, we must deal with rewriting 
modulo associativity and commutativity and get rid of the simplicity conditions. 



7.3 Natural Deduction Modulo (NDM) 

Natural Deduction Modulo (NDM) for first-order logic [50] can be presented as an 
extension of Natural Deduction with the following additional inference rule : 



r h p 
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where = is an equivalence relation on propositions stable by substitution and context. 
This is a very powerful extension of first order logic since higher-order logic and 
skolemized set theory can both be described as a theories modulo (by using explicit 
substitutions [1]). 

In [51], G. Dowek and B. Werner study the strong normalization of cut elim- 
ination in the case where = is generated from a first-order confluent and weakly 
normalizing rewrite system. In particular, they prove the strong normalization in 
two general cases : when the system is positive and when it has no quantifier. In 
[52], they give an example of a confluent and weakly normalizing system for which 
cut elimination is not normalizing. The problem comes from the fact that the elim- 
ination rule for V introduces a substitution : 

r h Vx.p(x) 
r h p(t) 

Hence, when a predicate symbol is defined by a rule whose right hand-side con- 
tains quantifiers, its combination with /^-reduction may not be normalizing. A nor- 
malization criterion for higher-order rewriting like the one we give in this work is 
therefore necessary. 

Now, since NDM is a CAC (logical connectors can be defined as constant predi- 
cate symbols), we can compare our conditions with the ones given in [51]. 

(Al) In [51], only is required to be confluent. We do not know whether this 
always implies the confluence of — U —>p. This is true if 1Z is left-linear since 
then we have a union of left-linear and confluent CRS's with no critical pair 
between each other (general result due to V. van Oostrom [117] and proved in 
the particular case of by F. Miiller [92]). But we are not aware of work 
proving that, in presence of dependent types and rewriting at the type level, 
— U — >g is confluent even though 1Z is not left-linear (V. Breazu-Tannen and 
J. Gallier have shown in [28] the preservation of confluence for the polymorphic 
A-calculus with first-order rewriting at the object level). 

(A2) The NDM types are primitive and form an admissible inductive structure 
when we take them as being all equivalent in =q. 

(A3) In [51], the strong normalization of cut elimination is proved in two general 
cases : when the rules of {V>T n , Ttx>T n ) have no quantifier and when they are 
positive. The systems without quantifiers are primitive. Therefore, in this case, 
(A3) is satisfied. On the other hand, in the positive case, we also require the 
arguments of the left hand-sides to be constant symbols and that at most one 
rule can be applied at the top of a term (NDM systems are small). But we also 
provide a new case : (T>J- n ,lZT>F a ) can be recursive, small and simple. 

(A4) Rules without quantifiers are of first-order and rules with quantifiers are of 
higher-order. In [51], these two kinds of rules are treated in the same way. 
But the counter-example given in [52] shows that they should not be. In our 
conditions, we require symbols defined by rules with quantifiers to satisfy the 
General Schema. 
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Theorem 105 A NDM proof system satisfying the conditions (Al), (A3) and (A4) 
is strongly normalizing. 



Chapter 8 

Correctness of the conditions 



Our proof of strong normalization is based on the extension to the Calculus of 
Constructions by T. Coquand and J. Gallier [36] of Tait and Girard's method of 
reductibility candidates [64]. The idea is to interpret each type T by a set [T] of 
strongly normalizable terms and to prove that every term of type T belongs to [T]. 
The reader not familiar with these notions is invited to read the Chapter 3 of the 
Ph.D. thesis of B. Werner [119] for an introduction to candidates, and the paper of 
J. Gallier for a more detailed presentation [56]. An important difference between 
the candidates of T. Coquand and J. Gallier and the candidates of B. Werner for 
the Calculus of Inductive Constructions is that the former are made of well-typed 
terms while the later are made of pure (untyped) A-terms. 

8.1 Terms to be interpreted 

In order to have the environment in which a term is typable, we use closures , that 
is, environment-term pairs. 

Definition 106 (Closure) A closure is a pair T\~t made of an environment T £ £ 
and a term t G T. A closure r h t is typable if there exists a term T G T such that 
r h t : T. We will denote by T the set of typable closures. 

The set of closures of type ThT is T rhT = {T' h t G T | V D T and T h t : T}. 
The set of closures of type r h T whose terms are strongly normalizable will be 
denoted by SNri-T- The restriction of a set S C Tpi-T to an environment r' D T is 

5|p = 5nT r / hT = {r"ht es \ r" ^ r'}. 

One can easily check the following basic properties : 
Lemma 107 

(a) If T'ht G TrhT and T' C r" G E then T"ht G T r hT- 

(b) If T C T' G E then T r / hT C T rhT and T rhT | r / = T r / hT . 

(c) If T C r T' then T rhT = T rKr . 

We have to define an interpretation for all the terms that can be the type of 
another term, that is, to all the terms T such that there exists V and t such that 
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Y h t : T. In this case, by correctness of types, there exists s such that T = s or 
r h T : s. Thus, we have to define an interpretation for the terms of the following 
sets : 

- B = {THT G £ x T | T G E A T = □ }, 

- TY* = P° = {ThT G £ x T | r h T : *}, 

- W D =K = {rhXGfxT|rhK:D}. 

A term T such that r h T G P° can be obtained by application of a term U to 
a term v. By inversion, ?7 must have a type of the form (x : V)W. By correctness 
of types, there exists s such that T \- (x : V)W : s . As T belongs to the same class 
as U, T G P° C P = T° and U G Tf . By classification, we obtain s = □. Therefore, 

after the Maximal sort Lemma, T\- U cannot belong to P°. We therefore have to 
give an interpretation to the terms of the following sets also : 

- P* = {rhT G £ x T | 3x,U,K, Y hT : (x:U)K A Y h U : * A r h i^T : □}, 

- P D = {rhT G f X T | 3X,K,L, ThT: (X:K)L A ThKiD A r h L : □}, 

- p = p°uP ,,; uP n , 

-fY = BUKUP. 

In order to justify our definition of P and to ensure that all the terms that have 
to be interpreted are indeed in TY, it suffices to see that, after the Maximal sort 
Lemma, the projection of P on T, that is, the set {T G T \ 3T G £, ThT G P}, is 
equal to P. 

Lemma 108 The sets P , P , P , K and B are disjoint from one another. 

Proof. We have seen that P° is disjoint from P* and P°. Since □ is not typable, 
B is disjoint from all the other sets. P and K are disjoint since their projections P 
and K are disjoint. We are therefore left to verify that P and P are indeed disjoint. 
Assume that there exists rhT G P* H P° . Then, there exists x, U, K, X, K' and 
L such that r h T : (x : U)K, Y \- U : *, T \- K : U, Y \- T : (X : K')L, Y h K' : □ 
and T h L : □. By convertibility of types, (x : U)K (X : K')L. By product 
compatibility, U K'. By conversion correctness, ★ = □, which is not possible. ■ 

We now introduce a measure on TY which will allow us to do recursive definitions. 

Definition 109 «(rhT) = { ^ ^=° ; ° R , Q 

where v is defined on predicate types as follows : 

- = 

- v((x:U)K) = l + v{K) 

- u{(X : K)L) = 1 + max{v(K), v(L)) 

We must make sure that this definition does not depend on K. As all the types 
of T are convertible, it suffices to check that v is invariant by conversion : 



Lemma 110 If K C* v K' then v(K) = u(K'). 
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Proof. By induction on the size of K and K' . After the Maximal sort Lemma, 
K is of the form (x : T)*, K' is of the form (x : T')* and \x\ = \x'\. Let n = \x\ = \x'\. 
By product compatibility and a-equivalence, we can assume that x' = x. If n = 
then K = K' and v{K) = v(K'). Assume now that n > 0. Let L = (x2 '-T^) ■ ■ ■ (x n : 
T n )* and V = (x 2 :T 2 )... (x n : 2^)*. By product compatibility T x Cf, T-( and 
L Cf T V . By Conversion correctness, Ti and T{ are typable by the same sort s. 
By inversion and regularity, r, X\ :T± h L : □ and T, xi :Ti h L' : □. So, by induction 
hypothesis, u{L) = u(L') and, if s = □, i/(Ti) = i/(2^). Therefore, z/(A) = i/(-fif')- ■ 

Lemma 111 If T h T e TY and 9 : T -» A then A h T9 6 TY and /i(A h T<9) = 
/i(rhT). 

Proof. First of all, one can easily prove by induction on the structure of pred- 
icate types that, if K is a predicate type and 9 is a substitution, then K9 is a 
predicate type and v(K9) = v(K). We now show the lemma by case on T : 

- T = □. A h T9 = A h □ € TY and /x(A h T6>) = = /x(rhT). 

- r h T : □. By substitution, A h T6> : □, A h T6* € TY and //(A h T9) = = 

M(ri-r). 

- r h T : K and r_h A" : □. By substitution, A \- T9 : K9 and A h A6> : □. 
Thus A h T6> € TY. Now, /x(A h T0) = z>(A0) and /x(r h T) = z/(A). But 
v(K9) = z/(A). ■ 

8.2 Reductibility candidates 

We will denote by : 

- SN the set of strongly normalizable terms, 

- WW the set of weakly normalizable terms, 

- C1Z the set of terms t such that two reduction sequences issued from t are always 
confluent. 

Definition 112 (Neutral term) A term is neutral if it is neither an abstraction 
nor constructor headed. 

Definition 113 (Reductibility candidates) For each ThT € TY, we are going 
to define by induction on fj,(T\-T) : 

- the set Hr\-T of reductibility candidates of type T\~T, 

- the restriction R\^> of a candidate R € TZr\-T w.r.t. an environment T' D T, 

- the relation <fkt on IZrhT, 

- the element Tri-r of 1Zt\-t, 

- the function ArhT f rom the- powerset of TZt\-t to TZrhT- 
• T = □. 

- ft rhn = {SNrhn}- 

- R\y' = R n Tp/|_Q. 

- #i <rvn #2 if #i C i? 2 . 
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- T rhn =SNrhn- 

- Arhn(^) = T rhn- 

• r h T : s. 

- lZr\-T is the set of all the subsets R of Tn-T such that : 
(Rl) R C SN (strong normalization); 

(R2) if T' h t G R and t —> t' then T'ht' £ R (stability by reduction); 

(R3) if r'ht € Tn-T, t is neutral and, for all t' such that t -» i', r'ht' G i?, 

then r'ht G i? (stability by expansion for neutral terms); 
(R4) if r'ht G i? and V C T" G E then T"ht G (stability by weakening). 

- i?|r' = .R n Tp'i-j 1 . 

- Ri <rhT R2 if M c i? 2 . 

- Tpi-T = SNrhT- 

- ArKrW = PI 3? if & + 0> T rhT otherwise. 

• r h T : (x:U)K. 

- 72-ri-T is the set of all the functions R which, to V' h u G Tn-c/, associate an 
element of an d satisfy : 

(PI) if u -> u' then R(r'hn) = i?(r'hu') (stability by reduction), 

(P2) if T C T' G E then i?(rhu)| r , = R(T'hu) (compatibility with weakening). 

- r\ t > = R\j r , hu - 

- Ri <rhT R2 if, for all r'hii £ T rK /, Ri(T'\-u) <r'hT« ^(r'hu). 

- T rhT (r'hu) = T r / hTu . 

- ArHr(»)(r'l-«) = ArW I # e »}). 

• r h T : (X:K)L. Let S rhi ^ be the set of pairs (PTt7,S) such that r'HPeT M 
and 5 G Ht'V-u- 

- lZr\-T is the set of all functions R which, to a pair (r'ht/, S) G Xn-x, associate 
an element of TZy^tu an d satisfy : 

(PI) if U -» L7' then i?(r'ht7,S) = i?(r'h[/', S) (stability by reduction), 
(P2) if T C T' G E then R(F h t7,S)| r , = R(T' h L7,S| r ') (compatibility with 
weakening) . 

- R\t> = R\T, r , hK - 

- Ri <rhT R2 if, for all (F'\-U,S) G $W, ^(r'hLT,^) < r ™ ^2 (r' h U, S) . 

- Tn-T(r'ht7, S) = Tt'\-tu- 

- ArhT(W^S) = f\ T , hTU ({R(F'hU,S) I i? G 3?}). 

The following lemma ensures that all these objects are well defined. 

Lemma 114 (Candidates properties) 

(a) IZr\-T, <rhT, Tn-T and Ari-T are wen defined. 

(b) If T -» T' then ft ri _ T = ft-rhT'- 

(c) If R G ftrKT and T C T' G E then R\ T , G ftr'KT- 

(d) Tri-T € 7^ri-T- 

(e) If T — > T' then Tn-T = Tn-T'- 

(f) If r C T' G E then T rK r|r' = T r , hT . 
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(g) If 3ft C K rhT then ArhT W G ^rhT- 

(h) If T -» T' then ArhT = ArhT'- 

(i) Ifrcr'eE then An-r^lr' = Ar'hT^lr' I R G »})■ 

Proof. By induction on /x(rhT). 

• T = □. 

(a) Immediate. 

(b) □ is not reducible. 

(c) We necessary have R = SNrhn- So, R\r> = SNrhn nTr'hn = SNr'hn G T^r'hn- 

(d) Immediate. 

(e) □ is not reducible. 

(f) T rhD | r , = SN rhD nfr'i-o = SNr'hn = T rhn . 

(g) ArhaW = Trh- 

(h) □ is not reducible. 

0) ArhoWlr' = Trhnlr' = Tiv hD = ArW^lr' I R G 

• T h T : s. 

(a) Immediate. 

(b) By subject reduction, Tpi-r = Tn-T'- 

(c) By weakening, R\pi C Tp'i-T- Now we show that i?|r' satisfies (Rl) to (R4). 
For (Rl), (R2) and (R4), this is immediate. For (R3), let T"\~t € TWt such 
that t is neutral and, for all t' such that t — > i', r" I— € i?|r'- Since C i?, 
r"ht € But r"ht G Tr'hT- Therefore, r"hi G #|r#. 

(d) By definition, Tn-T Tpi-T and it is easy to check that Tri-T satisfies (Rl) 
to (R4). 

(e) By subject reduction. 

(f) Immediate. 

(g) Since each element of is included in Tpi-T and satisfies (Rl) to (R4), it is 
easy to check that f] 3? is included in IYkt and satisfies (Rl) to (R4). 

(h) Immediate. 

(i) (fl ») |r' = (fl K ) n Tr'hT = f]{R n Tr'hr | i? G 3£} = Rl^lr' i? G 5?}. 

• r h T : {x:U)K. 

(a) We have to check that jj,{T'\-Tu) < fi(T\-T) and that the definitions do not 
depend on the choice of a type for T. 

By weakening, T' \- T : (x : U)K and rh(i: U)K : □. By (app), 
T' h Tu : K{x i-> u}. By inversion and regularity, r', x : U h if : □. By 
substitution, P* h K{x ^ u} : □. Therefore V h Tu G TY and /i(P h 
Tti) = v(K{x i— > n}). By invariance by substitution, u(K{x u}) = v{K). 
Therefore /i(rhT) = ^((x:C/)i(:) = 1 + ) > ^(rhTu). 

We now show that the definitions do not depend on the choice of a type 
for T. Assume that T h T : (x' : U')K' . By Type convertibility and Product 
compatibility, U C r U'. Therefore Tr\-u = ^r\-U' and TZr\-T, <n-T, Tpi-T and 
ArhT are uncn anged if we replace U hy U' . 

(b) By induction hypothesis, IZr'hTu = T^v Y-T'u- 
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(c) Immediate. 

(d) We check that T rhT satisfies (PI) and (P2). 

(PI) By induction hypothesis (e), Tp'i-Tu = Tr'KTV- 
(P2) By induction hypothesis (f), Tr-'i-TuIr" = ~^T"hTu- 

(e) By subject reduction, Tpi-T and T]>T' have the same domain. And they are 
equal since, by induction hypothesis, Tpi-Tu satisfies (e). 

(f) Tn-rlr' and Tp'Kr have the same domain and are equal. 

(g) Let W = {R(T'\-u) | R G 5?}. By definition, if R e TZ rhT and fha £ T ThU 
then R(T' h u) G TZr'hTu- By induction hypothesis, Ar'hTu satisfies (g). 
Therefore, Ar'hTuC^O € TZr'hTu- We now check that Ari-T satisfies (PI) and 
(P2). 

(PI) Let 5?" = {i?(r'hu') | i? G 5?}. Since each fl£!R satisfies (PI), R(T' h 
u') = i?(r'hn). By induction hypothesis, Ar'hTu satisfies (h). Therefore 

ArW^Ar'KzvO*")- 
(P2) Let 3?! = {i?(rhu) | i? G 5?} and 3? 2 = {i?(rhu)| r , | i? G 5?}. Since 
each i? G 3? satisfies (P2), R(T\-u)\r> = R(T'\-u). By induction hypothesis, 
A rhTu satisfies (i). Therefore f\ ThTu (^i)\r' = Ar'hrJ 3 ^)- 

(h) After (a), TZrhT = TZrhT'- Therefore, ArhT an d ArhT' nave the same domain. 
Let 3? C 72-ri-T- Then, Arhr(^) an d Ari-T'(^) have the same domain and are 
equal since, by induction hypothesis, Ar'hTu satisfies (h). 

(i) ArKr(^)lr' and Ar'hT({-^lr' I R G 5ft}) have the same domain and are equal 
since, if T"\-u G T rhU then i?(r"hu) = i?|r#(r"|-tt). 

• T h T : (X :K)L. The proof is similar to the previous case. ■ 

Lemma 115 Let X rhT = {T'ht G T rKr | t = xt, x G X, f G SAf}. If T h T : s 
then Xri-T / and, for all R G T^ri-T, Xri-r R- 

Proof. First of all, Xpi-r ^= ^n-r- Since <Y S is infinite and dom(r) is finite, there 
exists x G X s \ dom(r). Therefore, by (var), T,x:T h x : T. So, r,x:Thx G T r i-r 
and X rhT / 0. Now, let R G ftrhT, T' G <S, x G and t G <SAf such that 
T'\~xt G Tri-T- We show that T'\~xt G i? by induction on t with ^i cx as well-founded 
ordering. Since xt is neutral, by (R3), it suffices to show that every immediate 
reduct of xt belongs to R. But this is the induction hypothesis. ■ 

Lemma 116 (Completeness of the candidates lattice) For all T h T G TY, 

(TZrhT, <f\-t) is a complete lattice. The lower bound of a part of TZrhT is given by 
Ari-T- 

Proof. It suffices to prove that (TZrhT, <rKr) is a complete inf-semi-lattice and 
that Tri-T is its greatest element. One can easily check by induction on /j,(F h T) 
that <rhT is an ordering (i.e. is reflexive, transitive and anti-symmetric), Tpi-T is 
the greatest element of TZrhT and the lower bound of a part of TZrhT is given by 
Ari-T- * 
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8.3 Interpretation schema 

We define the interpretation of a type r h T w.r.t. a substitution : T — > A by 
induction on the structure of T. Hence, we have to give an interpretation to the 
predicate variables and the predicate symbols that occur in T. That is why we 
first define an interpretation schema pl - ? 1 ]]^^ using a candidate assignment £ 
for the predicate variables and an interpretation I for the predicate symbols. In 
the Section 8.4, we define the interpretation of constant predicate symbols and, in 
Section 8.6, we define the interpretation of defined predicate symbols. 

Definition 117 (Candidate assignment) A candidate assignment is a function 
£ from X n to |J { K AhT | AhT G TY}. Let : T -» A be a substitution. We say that 
£ is compatible with (0, T, A) if, for all X G dom D (T), X£ G 1Za\-X9- The restriction 
of £ to an environment V is the assignment £|r' defined by A(£|p') = (A£)|p'. 

To any substitution : T — > A, we associate its canonical candidate assignment 
defined by X£g = Tai-x0- After Lemma 114 (d), is compatible with (0,T, A). 

Lemma 118 Let 9 : T — > A be a substitution and £ be a candidate assignment 
compatible with (0,r, A). 

(a) If -»• 0' then 0' : T -> A and £ is compatible with (0', T, A). 

(b) If ACA'GE then 9 : T -» A' and f | A # is compatible with (6>, T, A'). 

Proof. 

(a) After Lemma 35, we know that 9' : V -»• A. Let A G dom n (r). Since £ is 
compatible with (9, T, A), X£ G 1Za\-X9- After Lemma 114 (b), 1Za\-X6' = 
TZ-Ahxe- Therefore G UAhxe'- 

(b) By weakening, : T -> A'. Let A" G dom D (T). By definition, A(£[ A ') = 
(X£)| A /. Since £ is compatible with (0,T, A), A£ G TZ^hxe- Therefore, after 
Lemma 114 (c), (A£)| A ' G Ha'\-xo- ■ 

Let F be a predicate symbol of type (x : T)*. In the following, we will assume 
that F, which is not a term if its arity is not null, represents its r/-long form [x : 
f]F(x). 

Definition 119 (Interpretation of a predicate symbol) An interpretation for 
a predicate symbol F is a function / which, to an environment A, associates an 
element of IZav- f such that : 

(P3) if A C A' G E then I a \ a> = I A' (compatibility with weakening). 
An interpretation for a set Q of predicate symbols is a function which, to a symbol 
G G Q, associates an interpretation for G. 

Definition 120 (Interpretation schema) The interpretation of V h T G TY 
w.r.t. an environment A G E, a substitution : T — > A, a candidate assignment £ 
compatible with (9, T, A) and an interpretation Ip pour each i 7 G J- n , is an element 
of TZAhTd defined by induction on T : 

• [rh s ] AAf = sN Ahs , 
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• [rhF(t)]^ = / AhF (a) or, if t f = (x : f)U : 

- ai = Ahij6> if Xi G X*, 

- a i = (A\-t i e,lT\-t i j I AM ) if Xi G X D , 

• iThix-.UmiM = {A'ht G T AKx:[7 , )ye | VA"hn G [ThC/ft,^,, A"htu G 
lT,x:U^V}i„ fiu{x „ uUlA „}, 

. [r h (X : if)F] A ^ = {A' h t G T Ah(X;Xe)y , | VA" h 17 G [T h ^A',^| A ,. 

A'^^Gnilr^^hF]^^^,,^^ I Sg^k,}}, 
. [rh[x:C/]F] A ^(A'hn) = [r,x:[/hy]^ uM ^ () 

. [rh[X:^]F] A> ^(A'hc/,s) = [r,X:Khy] A , eu{x ^ }i?|A/U{x ^ 5} , 

• [r^^] A; ^ = [rhy] A) ^(Ah^), 

• l^vuji M = irhv}i M (Ahue, irhuji^). 

In the case where T \- T : s, the elements of [r h T] A g ^ are called computable . 
Finally, we will say that (9, T, A) is ua/id w.r.t. £ if, for all x G dom(r), A h x6* G 

[ri-xr]^. 

After Lemma 115, the identity substitution is valid w.r.t. any candidate assign- 
ment compatible with it. 

Lemma 121 (Correctness of the interpretation schema) 

(a) [rhT] A q ^ is well defined. 

(b) [rhT] A '^ G K AhT6 . 

(c) If - 0' then [rhT] A ^ = [rhT] A ^. 

(d) IfACA'GE then [rhT] A ^| A , = [rhT] A , 

Proof. Note first of all that, for (c), [rhT] A e , § exists since, after Lemma 118 
(a), 6' : r -» A and £ is compatible with (0',r, A). For (d), [T h T] A ^| A / ex- 
ists since, after (b), [rHT] Ae ^ G TZa\-t8, and [r h T]^, e ^ ; exists since, after 
Lemma 118 (b), 9 : T -> A' and £| A / is compatible with (0,T, A'). 

• T = s. 

(a) Immediate. 

(b) After Lemma 114 (d). 

(c) Since [rhs]^^ does not depend on 0. 

(d) [rh s ] Aj ^| A , = §N Ahs nT A ^ = sN A / hs = [rh s l A ,^ U/ . 

• T = F(t). 

(a) [n-T] A) ^ = /ahf(o) where 04 = Ah^6> if a* G AT* and a { = (Ah^0, [rh 
tJ Ae ^) if Xj G A' n . Par induction hypothesis (a) and (b), [rbtj] Ae ^ is well 
defined and belongs to TZ&\- ti Q. Therefore a is in the domain of Ia\-f an d 
[rhT] A ^ is well defined. 

(b) By definition of Ia\-f- 

(c) By (PI) . 
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(d) By (P2) . 

T = X. 

(a) Immediate. 

(b) Since £ is compatible with (9,T,A). 

(c) Since phX]^ e ^ does not depend on 6. 

(d) By definition of £|a'- 

T = (x:U)V. Let V = F,x:U. 

(a) Assume that A C A' G E. After Lemma 118 (b), 9 : T -> A' and f| A , 
is compatible with (0, T, A'). So, by induction hypothesis (a) and (b), [r h 
^1a' e £1 / * s we ^ defined and belongs to Ha'\-uo- 

By Type correctness, there exists s such that r h T : s. By inversion, 
r' h V : s. After the Environment Lemma, r h 17 : *. Therefore, by 
substitution, A' \- U6 : * and [rh[/]^, fl ^ c T A / hC/e . 

Now, let A"hu G [r h £7] A , e ?| / and a = 6 U {x h-> u}. Since (9 : V -> A, 
A" h u : U9 and x £ FV(r'), we have a : V -► A". After Lemma 118 (b), 
£| A » is compatible with (0,r, A"). Since dom D (cj) = dom n (0) and a and (9 
are equal on this domain, £| A » is compatible with (cr, T', A"). Therefore, by 
induction hypothesis (a) and (b), [r'h V] A „ a ^ A „ is well defined and belongs 
to TZa"\-V(t- 

Finally, by substitution, A" h Va : s. Therefore, [r' h ^1 a » ct5 | a „ C 
T A ''hVcr and [rHr] Ae ^ is well defined. 

(b) By substitution, A \- TO : s. Therefore, we have to prove that [rHT] Ae ^ 
is included in T&\-Te (immediate) and satisfies (Rl) to (R4). We have seen 
in (a) that, if A C A' G E, A" h u G [T h ^] A / je ^| A , and cr = U {x i-> u}, 
then [rhC/] A , e ^| and [r'l-F] A „ are included in T A /|_[/g and T A »|_y CT 
respectively and satisfy (Rl) to (R4). 

(Rl) After Lemma 115, there exists y G Af* \ dom(A') such that A' ,y:U9\- 
y G [rhC/] A/i ^, ; . Let A" = A', y : U9 and ct = 9 U {x ^ y}. Then, by 

definition, A"hty G fT'l - V] A „ CT £| A „ and, since [r'hF]^„ <j£\ A „ satisfies 
(Rl), ty G SM and t G 
(R2) Let A" h« G [r h t/] A ',0,£| A , and cr = # U {x ^ u }. By definition, 

A" h tu G [T' h V]^'',^! » and ' Since tu ~* l ' U and h F Ia",<t,5| 
satisfies (R2), t'u G [r'r-F]^,,^^ and f' G [rhT] A ^. 

(R3) This is in this case that we use the notion of arity which establishes 
a syntactic distinction between the application of the A-calculus and the 
application of a symbol (see Remark 10). Let A" h u G [r h f/] A , 

and <r = U {x i — > u}. By definition, A" h G T A »i-y CT and t« is neutral. 
Since [ThC/]^^ satisfies (Rl), it G &A/\ 

We prove that any reduct v' of tu belongs to fT' h V\ A „ CT ^| , by induc- 
tion on -u with — > as well-founded ordering. Since t is not an abstraction, 
v' is either of the form t'u with t' an immediate reduct of t, or of the form 
tu' with u' an immediate reduct of u. In the first case, A"\-t'u G T A «|_y<7 
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since, by hypothesis, A"ht' G [rhT]^ and A" \~u G [T h tf]i',0,£| A ,- 
In the second case, A"\-tu' G Ta"i-v<t by induction hypothesis. 

Therefore, since [T' h V]^,,^ satisfies (R3), A" \- tu £ [T' h 

(R4) Assume that A' C A" G E, A'" hue [T h E/]a» 0,fl A „ and a = 
6> U {x i-> u}. By induction hypothesis (d), [T h ?7]a"0£| = [T h 

^a'^uJa- = FHf/F A ,, 4 , nw. So, A"'hn g [rhl7] A ,^ |A/ , 

A"'htu G [r'hF]^, ^,^ and A"ht G [ThT^. 

(c) We prove that {r\-Tf AM C [rhr] Ae , r The other way around is similar. 

Since A h To : s, by conversion, T^hTe' = Takta and A'ht G T A |-T0'- Now, 
let A" h u G [T h f/] A , , £| , cr = 6> U {x u} and cr' = cr U {x h-> u}. By 

induction hypothesis (c), [T h Uj A , e , ^| = [Th U} A , ,■ Therefore, since 

[Tl- t/|^, )flj€ | satisfies (R3), A"hiti G [r'hy]^^. And since a -> a', by 

induction hypothesis (c), A"htu G [T'r-V]^,^ and A'h* G [rhT] A , ? . 

(d) We prove that [T h T] AA? | A / C [T h T] A , The other way around is 
similar. By definition, [T h T] A ^| A / = [rhT] ; A ^ nT A - hTe . Let A" h t G 
[rhT] A) ^| A /, A'"hu G [n-T] A/ ', e ^ and a = (9 U {x i-> «}. By definition 
of [rhT] AAf , A'"hiu G [r'h^]i', v A c|A) „. Therefore, since A" hi G T A , hm 

A"htG[rhT] A , A€|A/ . 

• T = (X:.fr)y. Similar to the previous case. 

• T = [x:t/]V. Let V = T,x:U. 

(a) Let A' h u G T Ahl/e and a = 9 U {x i-> u}. Since A C A' G E, by 
Lemma 118 (b), 6* : T — > A' and £| A / is compatible with (9,T,A'). Since 
A' I- u : U9 and x £ FV(T), a : V -> A'. Moreover, £| A / is compatible 
with (cr, T', A') since dom D (cr) = dom D (#). So, by induction hypothesis (a), 
[r'hy] AVe|A/ is well defined and [ThT] A ^ is well defined. 

(b) TlAhTd is the set of functions which, to A'hnG T^hue, associate an element 
of TZa'\-(T6 it) an d satisfy (PI) and (P2). By induction hypothesis (b), [T' h 
^1a',<t,5| a , g T^A'hVa- Since {T9 u) Va, by Lemma 114 (b), TZ A 'hVa = 

^•A'h(T0 u)- 

(PI) Assume that u -> [T h T] Aj ^(A' h u') = [T' h F] A / >CT /^| A , where 
cr' = 9 U {x i— > u'}. Since cr — > cr', by induction hypothesis (c), |T' h 

(P2) Assume that A C A' G E. {F h T] A ^(A h u)| A , = [T' h ^] Ai<t ^|a'- 
By induction hypothesis (d), [r'h^f A ^| A( = [T' h V} 1 ^ ^ = ' [Th 

^W(A'r-u). 

(c) [r h T} A ^(A> h «) = [T h F] AV , e|A , or cr' = cr U {x ^ «}. cr ^ a' 
therefore, by induction hypothesis (c), [r'h V] A , a , ^ ; = [r'h V] A , ^ / and 

[r^r] A; ^ = [rr-r] A ^. 
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(d) [n-T]^| A / = {ThTj^^j^^ is the function which, to A"hu G T A 'hue, 
associates [r'hF]^,, CT g| A „ where a = 9 U {x i-> u}. This is |Tl-T] A , g ^ ■ 

• T = Similar to the previous case. 

• T = Vu. 

(a) By induction hypothesis (a), [rh V] A e ^ is well defined and belongs to TZa\-V6- 
Since T G TY and T ^ □ , T is typable in T. By inversion, there exists 
J7 and K such that r h V : (x : J7)if and T h n : [/. By substitution, 
Ahyfl: (i: [/0)£T0 and A_h u# : U9. Therefore, IZ A hve is the set of 
functions which, to A'hii' <G Ta\-U9, associate an element of 1Za'\-V9u'- So, 
A\~u9 £ T Ahue and [rhT]^ is well defined. 

(b) [n-T]^^ G ^Ah(V6»«6») = ^A\-T9- 

(c) By induction hypothesis (c), [r h F] A , Ql ^, / = [rhF]^ e? . Since u# — >* ucr 
and [IW] A ^ satisfies (PI), [TI-7l^/= [rhT] A ^.' 

(d) [rhr] A) ^| A , = pw]W Ahu *)l*'- By (P2), [rV'y] A ^(Ah«0)| A , = 

|rhT/] A ^(A'h^) = [rHT/] Ae? | A ,(A'hu#). By induction hypothesis (d), 

[rhy] A ^| A ,(A'h^) = [rhyji,^ |A; (A'h^) = [rhT] A ,^ |A ,. 

• T = (V U). Similar to the previous case. ■ 

Lemma 122 Let I and I 1 be two interpretations equal on the predicate symbols 
occurring in T, and £ and £' be two candidate assignments equal on the predicate 
variables free in T. Then, [rhT]^, = [rhT] A ^. 

Proof. By induction on T. ■ 

Lemma 123 (Candidate substitution) Let To, Ti and T2 be three valid envi- 
ronments, To H T G TY, 9\ : Tq — ► Ti and 02 : Ti — ► T2 be two substitutions, 
and £2 be a candidate assignment compatible with (6*2^1^2). Then, the candidate 
assignment £12 defined by X^\2 = {T\ hl^Jp 2 e2 ^ 2 is compatible with (6182, Tq, T2) 
and [Tx 1-^x1^ = ^01-21^^. 

Proof. After Lemma 121 (b), A£i2 G r R-r 2 \-X9 1 9 2 - Therefore £12 is compatible 
with (0i0 2 ,r o ,r 2 ). Let R = \To\-T\i. afil0aAia and R' = Pi hT^]^^^. We show 
that i? = R' by induction on T. After Lemma 121 (b), R and i?' both belong to 

Kr 2 \-T9 1 9 2 - 

• T = s. R' = [rih S ]f 2e26 = SNr 2 h s = fl. 

• T = F(t). Assume that tf = ( x : T)*. Then, i? = /t 2 hf(o) where dj = r 2 \-t$\Q2 
if Xi G Af*, and Oj = (r 2 h ti0i0 2 , [r h *i]f 2 ,M 2l fc a ) if x< G Similarly, # = 
/r 2 hF(a') where oJ = T 2 ^t l 9 l 9 2 if x, G X*, and oJ = (I^hiA^, {T^t^f^^) 
if Xj G A' . By induction hypothesis, for all Xj G X n , {F h *i]f 2 ,0i0 2 ,£i2 = F 1 l_ 
*i^i]f 2 6» 2 $2" Therefore, a = a' and R = R'. 

,T = X.R = A62 = [riHX0i]f 2i e 2)6 = it". 

• T = (x : 17)V. Let r' =_T ,x : 17, Pi = r l5 x : C/0i and T' 2 h i G fl. Since 
i? G Rr.hTftfc, r' 2 hte T r2hTeie2 . Let f" h u G \T l h CW^f, e2 ^ . After 
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Lemma 121 (d), for all X G dom D (r ), X£ 12 | r , = [Ti h X0i]f, - £ , By 

2> >s lr 2 

induction hypothesis, pi h ^llf^,^, = [r h f If^ ei02 ^ 12 | r , • By definition 
of ^r 2hT0ie2 , T' 2 '\-tu G KHF][„ Ae2UM>62|r(( . Moreover, X£i 2 |r» = [Ti h 
Xei]fv, ifej& | r „, : r' -» ri, 2 U{z i ^ u} : 1^ -> r 2 ' and 0i0 2 U{z ^ = ^(0 2 U 
{x ^ u}). Therefore, by induction hypothesis, |T' h V} 1 ^ ^^^ ^^ = 
W'l^VO-^,, 62VJ{xmu} ^ and r' 2 ht G R' . So, C i?'. The other way around is 
similar. 

• T = {X:K)V. Similar to the previous case. 

• T = [x : U]V. Let T' = Tq,x : U, T[ = Fi,x : U0\ and T 2 h ti G Hr 2 i-[/6>i02- 
By definition, i?(r' 2 hu) = [r' h ^][ 2i ( l9!U { IH „} & | r , • By induction hypothesis, 

K^ni'w^uH^, = l T '^ V ^lh^ { ^uU 2 \ r ,- Therefore, R(T' 2 hu) = 
R'(T' 2 \-u) and R = R'. 

• T = [X:K\V. Similar to the previous case. 

• T = Vu. R = [T h V]f a( , lfe€ia (r 2 h «0i0 2 ). By induction hypothesis, [r h 

^2,^2,62 = l^ V ^fv M - Therefore, = 

• T = VC/. Similar to the previous case. ■ 



8.4 Interpretation of constant predicate symbols 

We define the interpretation / for constant predicate symbols by induction on >c- 
Let C be a constant predicate symbol and assume that we already have defined an 
interpretation K for all the symbols smaller than C . 

Like N. P. Mendler [90] or B. Werner [119], we define this interpretation as 
the fixpoint of some monotone function on a complete lattice. The monotonicity is 
ensured the positivity conditions of an admissible inductive structure (Definition 74). 
The main difference with these works is that we have a more general notion of 
constructor since it includes any function symbol whose output type is a constant 
predicate symbol. This allows us to defined functions or predicates by matching not 
only on constant constructors but also on defined symbols. 



We will denote by : 

- [C] the set of constant predicate symbols equivalent to C, 

- 2 the set of the interpretations for [C] , 

- < the relation on 1 defined by I < I' if, for all D G [C] and A G E, Iakd —A\-d 
ji 

AhD - 

For simplifying the notations, we will denote [rhT]f ^ by [rhT]^ ^. 

Let D G [C\. Assume that D is of arity n and type (x : T)*. Let A be an 
environment. By definition, 7Za\-d is the set of functions which, to a\ G A\, . . . , 
a n G An, associates an element of 7^A n i-D(t) wriere : 
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- cii = Ai\~ti and A\ = T A ._ l} - T . e if x, L G X*, 

- a,i = (Ai\-ti,Si) and A\ = Sa^kt^ if %i G 

- A = A and 6 = {x i-> i). 

Definition 124 (Monotone interpretation) Let I £ 2, Xi £ X D , A G E and 

a, a! two sequences of arguments for I such that a« = (Ajhtj, Sj), = (Ajhtj, 
and, for all j 7^ i, aj = a^-. Then, / is monotone in its i-th argument if Si < S^ 
implies Ia\-d(S) < Ia\-d(u')- We will denote by X m the set of the interpretations 
that are monotone in all its inductive arguments i G Ind(D). 

Lemma 125 (27™, <) is a complete lattice. 

Proof. First of all, < is an ordering since, for all D =c C and A G E, <Ah_D is 
an ordering. 

We show that the function I T defined by /JhD = Takd is the greatest element 
of I m . The function ijy is an interpretation since, after Lemma 114 (d) and (f), 
J akd G Ka\-d and if A C A' G E then I AhD A = T AhD | A / = T A / hD = I A , hD . 
Moreover, I T is the greatest element of 1 since Takd is the greatest element of 
T^-A\-D- 

We now show that I T is monotone in its inductive arguments. Let i G Ind(Z?) 
and a, a! two sequences of arguments for lJ^ D such that ctj = (Aj htj, Si), a\ = (Aj h 
U, S^, Si < Si and, for all j ^ i, aj = a]. Then, /J hD (a) = T AnhD{ ^ = lJy D (a!). 

We now show that every part of Z m has an inf. Let 9 C Z m and I A be the 
function defined by I^ D = AAhD^AhZ)) where ^R-AhD = {^Ah D I ^ £ The 
function I A is an interpretation since, after Lemma 114 (g) and (i), I^ D G TZAhD 
and if A C A' G E then l£ hD \ A ' = ^A'hD ■ 

We now show that / A is monotone in its inductive arguments. Let i G Ind(-D) 
and a, a' two sequences of arguments for satisfying the conditions of the Defi- 

nition 124. Then, I^ D {a) = flUAKD^) | / € 9} and / AhD (a') = f]{I AhD (a') | I G 
9}. Since each / is monotone in its inductive arguments, Ia\-d(S) < Ia\-d{3?)- 
Therefore, J AhD (a) < I^ D {a'). 

We are left to show that I A is the inf of For all / e 3, I A < I since I^\-d 
is the inf of ^R-AhD- Assume now that there exists I' G I m such that, for all J 6 9, 
I' < I. Then, since J Ah£ , is the inf of K A hD, I' <I A . 

Definition 126 (Interpretation of constant predicate symbols) Let p be 

the function which, to I G 1 m , associates the interpretation ip 1 such that V2 AKD (a) is 
the set of A' h u G §N AnhD( -^ such that if u reduces to a term of the form d(u) with d a 

constructor of type (y : U)D(v) then, for all j G Acc(d), A'\~Uj G \y : UhUj} 1 ^ e ^ 
where = {y 1— > u} and, for all Y G FV D ({7j), F£ = S lY . We show hereafter that <p 
is monotone. Therefore we can take Ia\-d = ^p(<p)a\-d where lfp(<^) is the least fix 
point of ip. 

The aim of this definition is to ensure the correctness of the accessibility relations 
(Lemma 134) : if d{u) is computable then each accessible Uj (j G Acc(cQ) is com- 
putable. This will allow us to ensure the computability of the variables of the left 
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hand-side of a rule if the arguments of the left hand-side are computable, and thus 
the computability of the right hand-sides that belong to the computable closure. 

Lemma 127 tp 1 is a well defined interpretation. 

Proof. We first prove that ip 1 is well defined. The existence of £ is the hypothesis 
(16). Let = y : U. We have to check that 6 : T d — > A' and £| A / is compatible with 
(9,T d , A'). By subject reduction, A' h d(u) : D(t). By inversion, A' h d(u) : D(vd), 
D{v0) C* A , D(t) and, for all j, A' h Uj - : E/,-0. Therefore, 9 : T d -» A'. Let 
y G FV n (^). We have y£ = 5 ty G ft AtyHty - By Lemma 114 (c), yf| A , € 
^-A'H ty - By (Al), since D is constant, for all i, V{9 J. ij. So, by Lemma 114 (b), 
R-A>\-t lY = K A >hv, Y e- By (16), u tr = y. Therefore y£ G K A >hYe- 

Finally, we must make sure that the interpretations necessary for computing 
\y : U h t^']A'eg| A / are an wen defined. The interpretation of constant predicate 
symbols smaller than D is K. The interpretation of constant predicate symbols 
equivalent to D is /. By (14) and (15), constant predicate symbols greater than D 
or defined predicate symbols can occur only at neutral positions, but it is easy to 
check that terms at neutral positions are not interpreted. 

We now prove that ^ai-d £ TZ-AhD- To this end, we must prove that R = p^ D (a) 
is included in T AnhD ^ (immediate) and satisfies the properties (Rl) to (R4) : 

(Rl) By definition. 

(R2) Let A'hu G R and u' such that u — > v! . By definition, A'hu G 8N A \-D(t)- 
Therefore, A'hu' G SN An hD(t)- Assume that v! —>* d(u) with r d = {y : U)D(v). 
Then, u ->* Therefore, for all j G Acc(d), A' h Uj G \y : f7 h L^-] A , e ^ 

andA'hn'Gi?. 

(R3) Let A'hti G ^/s. n \-D(t) sucn ^ nat u ^ s neu tral an d, for all v! such that it — > u', 
A' h u' G -R. Then, A' h u G SN AjjI _ d ^. Assume now that u ->* d{u) with 

T d = (y ■ U)D(v). Since u is neutral, there exists v! such that u — > u' and 
u' ^* d(u). Therefore, for all j G Acc(d), A' \- Uj G [y : f7 h ?7,-] A , e ^ ( and 
A'hueR. 

(R4) Let A'hu G and assume that A' C A" G E. Then, A"hti£ SN A „hD(f)- 
Assume now that u ^* d(u) with r d = (y : U)D(y). Then, for all j G Acc(cf), 
A' h ^ G Rj where i?j = \y : U h f/j] A ^| A ,- After Lemma 121 (b), Rj 
belongs to TZa„\-u e an d therefore satisfies (R4). Therefore A" \- Uj G Rj and 
A"hueR. 

Finally, we are left to show the properties (PI) to (P3). For (PI), the stability 
by reduction, this is immediate since, if t — > t* then §>N AnhD( -^ = §N An KD(P)- For 
(P2) and (P3), it is easy to see that the functions have the same domain and are 
equal. 

Lemma 128 tp 1 is monotone in its inductive arguments. 

Proof. Let i G Ind(D). We have to show that Si < S^ implies p Ai _ D (a) C 
</? Ah£) (a'). Let A' h u G (/? AhD (a). We prove that A'hu e ^AkD^O- We have 
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A' \- u £ ^A n \-D(t)- Assume now that u reduces to a term of the form d(u) with 
d a constructor of type (y : U)D(v). Let j G Acc(d). We have to prove that 
A' h Uj G [y : Uh Uj} 1 ^, g ^ , where 8 = {y ^ u} and, for all Y G FV n ([/,•), 
YZ = S' bY . 

We have A'huj G \y : UhUj] 1 ^^ where, for all Y G FV d (l^), y£ = S lY . If, 
for all Y G FV n (^), ty / i, then £ = £' and A'\- Uj G [y : UhUjf^,^ r Assume 
now that there exists Y G FV D (Uj) such that ty = i. Then, y£ = ^ < Yg = S-. 
By (12), Pos(Y,Uj) C Pos+([/ j ). Finally, Uj satisfies (13), (14) and (15). 

We now prove by induction on T that, for all T h T G TY, A G E, 6> : T -» A, 
£, f ' compatible with (0, T, A) such that y£ < >T and, for all 1/7, X£ = X? : 

- if Pos(y,T) C Pos+(T) and T satisfies (13), (14) and (15) then [rhT]^ < [Th 

- if Pos(Y,T) C Pos _ (T) and T satisfies (I3~), (14) and (15) then [rhT]^ c > 

where (13") is the property MD£CF n ,D = c C => Pos(D,T) C Pos~(T). We detail 
the first case only; the second is similar. 

• T = s. We have [rhT]^ = SN A hs = [Fr-T] A 

• T = E(t). We have [rhT] A ^ = J AhJ5 (3) and [rhT] A ^, = / AhS (o') with a; = 
a< = Ahtiff if x t G and iaj = (A 1-^0,$), a[ = (Ah^Sj), # = [Th^]^ 
and = [rhtJ A ee if G X D . Since T satisfies (13), (14) and (15), we have 
E G CT n and E 1 <c D. Therefore, Ia\-e is monotone in its inductive arguments. 
Let % < otE- We show that U satisfies (13), (14) and (15) : 

(13) Let D' = c D. We have to show that Pos(D',U) C Pos + (U). If Pos(D', U) = 
0, this is immediate. If there exists p G Pos(D',ti) then i.p G Pos(D' ,T). Since 
Pos(D',T) C Pos+(T) and Pos + (T) = {e} U [j {i.Pos + (ti) | % G lnd(E)}, we 
have i G Ind(E') and p G Pos + (ij). 

(14) and (15) Let D' > c D or D' G PJ^ . We have to show that Pos(-D',ij) C 
Pos°(tj). If Pos(D',tj) = 0, this is immediate. If there exists p G Pos(D',ij) 
then i.p G Pos(D',T). Since Pos(L>',T) C Pos°(T) and Pos°(T) = {e} U 
U {iPos°(ti) | i G lnd(E)}, we have i G Ind(£) and p G Pos°(^). 

Let us see now the relations between Si and S[. If Pos(Y, U) = then, by induction 
hypothesis, Si = S^. If there exists p G Pos(Y, U) then i.p G Pos(Y, T). Since 
Pos(y,T) C Pos + (T) and Pos + (T) = {e} U \J{i.Pos + (ti) \ i G lnd(E)}, we 
necessary have i G lnd(E) and p G Pos + (ij). Therefore, by induction hypothesis, 
Si < 5^. Finally, since /ai-e is monotone in its inductive arguments, we can 
conclude that [n-T]^ < [rhT]^,. 

. T = y. We have [rhT] A ^ = y£ < = [rhT]^,. But Pos(y,y) = e C 

Pos+(y). 

. T = A / y. We have [rhT] A ^ = A^ = X^' = [FhT]^,. 

• T = (x:t/")V. Let r' = T,x:U. We have [rhTl Ae5 = {A'ht G T Ah(x:W)Vfl | 

va" h « g p h u} a , MIa/ , a" h t„ g r h F] A/ ; e ;^ lA// } an d p h r] Ae ^ = 
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{A'hte T AHx:Ue)v0 I VA"hn g [rhc/]^ ; ^, |A; , A"\-tu g [r'hy] A , w|A/; } 

where & = 9 U {x ^ «}. We have to show that [T h 71a,0,£ C [rh 2~]a,0,£'- 
Let A' h t G T AHx:Ue)ve and A"hn £ fh u lA>,6,z>\ A r Since ?ob(Y,T) C 
Pos + (T) and Pos+(T) = l.Pos~(l7) U 2.Pos+(y), we have Pos(Y, f7) C Pos~(U) 
and Pos(y,y) C Pos+(V). We prove that U satisfies (I3~), (14) and (15) : 

(13- ) Let D' = c D. We have to show that Pos(D', U) C Pos _ (C7). If Pos(D', 17) 
= 0, this is immediate. If there exists p G Pos(D', U) then l.p G Pos(D',T). 
Since Pos(L>',T) C Pos+(T) and Pos+(T) = l.Pos _ (?7) U 2.Pos+(y), we have 
p G Pos _ (f7). 

(14) and (15) Let D' = c D or D' G VT U . We have to show that Pos(L>', 17) C 
Pos°(LQ. If Pos(7J>', U) = 0, this is immediate. If there exists p G Pos(D', U) 
then l.p G Pos(D',T). Since Pos(7J>',T) C Pos°(T) and Pos°(T) = l.Pos°(C/) U 
2.Pos°(y), we have p G Pos°(C7). 

Similarly, V satisfies (13), (14) and (15). Therefore, by induction hypothesis, 

i r h tiw. ^ p h ^Wi A , and r h v]i„^, A „ c r h f] a , WIa „. 

Hence, A" h u G [r h Uf A , M \ , A"htu G [T h ^] A »^| A „ and A" h tu G [T h 
F li»,e',e| A „- Therefore > A'htlE [rhT] A ^, and [ri-r] A ^ c [rhT] Ai ^,. 

• T = (X:if)V. Similar to the previous case. 

• T = [x : J7] V. [r h T] A e ^ is the function which, to A' h u G Tai-[/0, associates 
p' h Vl^, jfl/jC | where f' = T, x : U and 0' = 9 U {x ^ u}. [r h T]a,0,? is 
the function which, to A' h u G Tak/0) associates [r' h V] A ; e , £/| where T' = 
r,x : {7 and 0' = 6* U {x i— > u}. We have to show that, for all A' h u G Tai-[70, 
I r ' h ^li',e', 5 | A , < [ r ' hl lA',e', f V Since Pos(y,T) C Pos+(T) and Pos+(T) = 
l.Pos({7) U 2.Pos + (l/), we have Pos(y,y) C Pos+(V). We now prove that V 
satisfies (13), (14) and (15). 

(13) Let D' = c D. We have to show that Pos(£>', V) C Pos+(V). If Pos(L>', V) = 
0, this is immediate. If there exists p G Pos(D', V") then 2.p G Pos(D',T). 
Since Pos(£>',T) C Pos+(T) and Pos+(T) = l.Pos(t7) U 2.Pos+(V), we have 
p G Pos+(y). 

(14) and (15) Let D' = c D or D' G VT U . We have to show that Pos(L>', V) C 
Pos°(y). If Pos(D / ,y) = 0, this is immediate. If there exists p G Pos(7J>' \V) 
then 2.p G Pos(£>',T). Since Pos(L>',T) C Pos°(T) and Pos°(T) = l.Pos(CJ) U 
2.Pos°(y), we have p G Pos°(y). 

Therefore, by induction hypothesis, [r' h V] A , e , ^| < [r' h F] A , e , / and 

[r^r] A) ^<[rhrf w . 

• T = [X:7iT]y. Similar to the previous case. 

• T = Vu. We have [T h T]^,^ = [rh F] Aj ,^(r h u) and |T h T] Ae ^ = [T h 
F]A,^'( rhu )" Since p os(l",T) C Pos+(T) and Pos+(T) = l.Pos+(V) U 2.Pos(n), 
we have Pos(Y, V) C Pos + (y). We now prove that V satisfies (13), (14) and (15). 

(13) Let D' = c D. We have to show that Pos(£>', V) C Pos+(y). If Pos(7J»', V) = 
0, this is immediate. If there exists p G Pos(D', V") then l.p G Pos(D', T). 
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Since Pos(L>',T) C Pos + (T) and Pos+(T) = l.Pos + (y) U 2.Pos(it), we have 
p G Pos + (y). 

(14) and (15) Let D' = c D or D' G VT n . We have to prove that Pos(7T, V) C 
Pos°(y). If Pos(D',V) = 0, this is immediate. If there exists p G Pos(D',V) 
then l.p G Pos(D',T). Since Pos(£>',T) C Pos°(T) and Pos°(T) = l.Pos°(V) U 
2.Pos(u), we have p G Pos°(V r ). 

Therefore, by induction hypothesis, [ThV^^ < lP^Vj AH , and [rhT]^ ef < 

• T = VU. We have [T h T]^^ = [Th V]^ (r h U, \P h C/]^) and [r h 

T Ja,^ = F h ^lA,e,e( r h ^> I r h C^w)- Since Pos(y,T) C Pos+(T) and 
Pos+(T) = l.Pos+(y), we have Pos(Y, V) C Pos+(V) and Pos(Y,[/) = 0. We 
have seen in the previous case that V satisfies (13), (14) and (15). We now show 
that U satisfies (13), (I3~), (14) and (15). 

(13) and (I3~) Let D' = c D. We have to prove that Pos(7T, U) C Pos+(£/) U 
Pos~(U). If there exists p G Pos(D', U) then l.p G Pos(7)',T). Since Pos(7>',T) 
C Pos+(T) and Pos+(T) = l.Pos + (V), this is not possible. Therefore, 
Pos(£>', U) | = C Pos+([7) U Pos - (£/")■ 

(14) and (15) Let D' = c D or D' G PJF D . We have to prove that Pos(D',V) C 
Pos°(y). If there exists p G Pos(£>', t7) then 2.p G Pos(L>', T). Since Pos(D', T) 
C Pos°(T) and Pos°(T) = l.Pos°(V), this is not possible. Therefore, Pos(L>', U) 
= C Pos°(f7). 

Therefore, by induction hypothesis, [r h V]^ e ^ < [r h V]^ e £/, [r h f/]^ e ^ = 

[rh^f w and [rhr]^ < [rhTf w . 

Lemma 129 </? is monotone. 

Proof. Let 7, 7' G T m such that 7 < I'. We have to prove that, for all D =jr C, 
A G E and a, ^ai-d(^) — ^ai-dC^)- Let A' h u G (p AhD (a). We prove that A' h 
u G ^|_£>(a). We have A'hn G ^A n hD(t)- Assume now that u reduces to a term 
of the form d(u) with d a constructor of type (y : U)D(v). Let j G Acc(d). We 
have to prove that A' h Uj G [y : 17 h L^]^, e ^ / where 9 = {5 h m} and, for all 

We have A' h uj G [y : f7 h £7,]^, e ^ and satisfies (13), (14) and (15). 

We then prove by induction on T that, for all P h T G TY, A G E, : P -> A, £ 
compatible with (0, T, A) : 

- if T satisfies (13), (14) and (15) then \r\-Tf AM < [r^T]^, 

- if T satisfies (I3~), (14) and (15) then [r^T]^ > [r^T]^, 

where (13") is the property VTJgCj^T) = c C Pos(D,T) C Pos _ (T). We just 
detail the first case; the second case is similar. 

• T = s. We have [rhT]^^ = SN A h, = P^T]^. 

• T = E{T). We have \T\-T\ I AH = I AhE (a) and [rhT]^ r 7^ hS (a') with 
(H = a[ = A h if Xi G AT*, and a i = (Ah ^6*,^), a- = (A h i^,^), 5< = 
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[r h uYam and s 'i = I r h ^Iam if %i £ Since T satisfies ( I3 )' ( I4 ) and 

(15), we have E G £-7-"° and E <c D. Therefore, -Take and I' A \-E are monotone in 
their inductive arguments. We have seen in the previous lemma that ti satisfies 
(13), (14) and (15). Therefore, by induction hypothesis, Si < S^. Finally, since 
lAhE is monotone in its inductive arguments and I < I', we can conclude that 
lAh E (a) < I A hE(a f ) < I' AhE {a') and therefore that {r\-T] AM < [rh-T] A ^,. 

• T = X. We have [rhT] A ^ = F£ = [LhT]^. 

• T = (x:U)V. Let T' = r,x:f/. We have [rhT]^ = {A'hi G T Ah(ie:I/e) w | 
VA"_h U G [ThE/ft,^,, A"htu G [r'hy]^,,^ u J and \T\-TIZm = ^ A ' h 
i G T A h(x:W)Vfl I VA"hn G [rhf/]^^ |A/ , A"htn G [T'^S»^ U „} wh ere 
0' = 0lj {x ^ u}. We have to prove that [r h T] A ^ C [rh T} 1 ^^. Let 
A' hi G r ^A\-(x-.ue)ve an d A"hu G ■ We have seen in the previous 
lemma that U satisfies (I3~), (14) and (15) and that V satisfies (13), (14) and 
(15). Therefore, by induction hypothesis, [r h U} A , e ^ / C [r h C/] A , e ^ ; and 

I r, ^]A'',^| A „ ^ I r '^]^/, f | A „- H ^ce, A"huG {T h U} 1 ^ ^ , A" t tu G 
[r'HV]i„ e , 4 „ and A"htn G [r'HVl^^,^ n . Therefore, A' hi G [rhT]^ 
and[rhT] A ^C[rhT]^. 

• T = (X:i^T)y. Similar to the previous case. 

• T = [x : U]V. [r h T] A e ^ is the function which, to A' h u G ^Ahue, associates 

p' h VJi'.tf'.fU, where r ' = r ' x 1 U and = # u ^ «}■ I r h t Jaa£ is 
the function which, to A' h a G Hai-{70j associates [r' h V^] A , where T' = 

r, x : Z7 and 0' = 6* U {x i— > u}. We have to show that, for all A' h u G Tai-i/0, 
[r' h V] A , , £| < [r' h F] A , e , £| . We have seen in the previous lemma that V 

satisfies (13), (14) and (15). Therefore, by induction hypothesis, [r'l- V] A , 9 , ^ < 

• T = Similar to the previous case. 

• T = Vu. We have [T h T] A ^ = [Th F] A ^(r h u) and [r h T] A ^, = [T h 
V] A £,(r h u). We have seen in the previous lemma that V satisfies (13), (14) 
and (15). Therefore, by induction hypothesis, [r h V] A6 ,£ < [r h ^] Ae) £ and 

[r^T] A) ^<[rhr]^. 

• T = VU . We have [r h T] A ^ = [T h F] A ^(r h £/, [T h t/]^) and [r h 
T] A e £, = [r h V] A e ^/(r h C/, [r h C/] A e £/). we have seen in the previous lemma 
that U satisfies (13) | (13"), (14) and' (15), and V satisfies (13), (14) and (15). 
Therefore, by induction hypothesis, [T h F] A ^ < fh V]^^, I r h ^Ia,^ = 

[rhc/]^and[rhr] A ^ <irhTf AM . " " " ■ 

Since (X m , <) is a complete lattice, ^asa least fix point / which is an interpre- 
tation for all the constant predicate symbols equivalent to C. Hence, by induction 
on >c, we obtain an interpretation / for the constant predicate symbols. 

In the case of a primitive constant predicate symbol, the interpretation is simply 
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the set of strongly normalizable terms of this type : 

Lemma 130 (Interpretation of primitive constant predicate symbols) 

If C is a primitive constant predicate symbol then Ia\-c = ~^A\-C- 

Proof. Since Iahc < ~^A\-c, it suffices to prove that, for all u G Sftf, C primitive 
of type (x : T)*, a arguments of Ia\-c with = Aj h tj if Xi G X* and = (Aj h 
ti,Si) if Xi G X n , and A' D A n , if A' h u : C(t) then A' h u € I A hc(a), by 
induction on u with — > U > as well-founded ordering. Assume that u — >* c(u) 
with c a constructor of type (y : U)C(v). If u ^ + c(u), we can conclude by 
induction hypothesis. So, assume that u = c(u). In this case, we have to prove 
that, for all j G Acc(c), A' \- uj e {y : U h Uj\ A , e ^ where 6 = {y ^ u} and, 
for all Y G FV D (Uj), Y£ = S iY . By definition of primitive constant predicate 
symbols, for all j G Acc(c), Uj is of the form D(w) with D a primitive constant 
predicate symbol. Assume that td = (z : V)*. Let = A' h u>j# if Zj G A?*, and 
a< = (A'hu>;<9, [y : if zj G Since Uj G SAA and A' h : D(^6»), 

by induction hypothesis, A' \- Uj G Ia\-d(o-')- By (P3), Ia\-d(3') = Ia'\-d(3') and 
[y : ^I-^Ia'.^u, = / A'hz?(a')- Therefore, A'hu G / A hc(«)- ■ 

8.5 Reductibility ordering 

In this subsection, we assume given an interpretation J for the defined predicate 
symbols and we denote [rhT]^ by \T\-T\ Ae ^. 

The fix point of the function <p defined in the previous subsection can be reached 
by transfinite iteration from the smallest element of X m . Let tp a be the interpretation 
after a iterations. 

Definition 131 (Order of a computable term) The order of A' hi G Ia\-c(<*), 
o(A'hi), is the smallest ordinal o such that A' hi G (y3 AhC .(a). 

This notion of order will enable us to define a well-founded ordering in which 
recursive definitions on strictly positive predicates strictly decrease. Indeed, in this 
case, the subterm ordering is not sufficient. In the example of the addition on 
ordinals, we have the rule : 

+(x,lim(f)) — > lim([n:nat] + (x, fn)) 

We have a recursive call with fn as argument, which is not a subterm of lim(f). 
However, thanks to the definition of the interpretation for constant predicate symbols 
and products, we can say that, if lim(f) is computable then / is computable and, 
for all computable n, fn is computable. So, the order of lim(f) is greater than the 
one of fn : o(lim(f)) > o(fn). 

Definition 132 (Reductibility ordering) We assume given a precedence >jr on 
J- and a status assignment stat compatible with >jr. Let / be a symbol of non null 
arity and status statf = lex(m±, . . . , m&). Let Qf be the set of (g, A, 9, £) such that, 
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if Tg = (x : f)U and T g = x : f then g = T f, A G E, 9 : T g -> A, £ is compatible 
with (0, r s , A), (6 1 , T 9 , A) is valid w.r.t. £. We equip 0/ with the ordering Zlj defined 
by: 

• («7, A, 0,£) □/(</, A', #',£') if m0 (□},..., □^)i ex m0 / , 

• mul{u) Zfy mul(v!) if {-u} (□*) mu i {u'} with : 

- □*=» if i G SP(/) where u » u' if o(Ahu) > o(A / h« / ), 

- □*=— > U> otherwise. 

We equip = (J {B j | / G J 7 } with the reductibility ordering □ defined by 
( 5 , A, 0, £) □ (</, A', 0', £') if g >t 9' or, 5 = T g> and ( 5 , A, 0,0=1/ (</, A', 0', £')■ 

Lemma 133 The reductibility ordering is well-founded and compatible with — > : if 
— >■ 0' then A, 0, £) □ A, 0', £)■ 

Proof. The reductibility ordering is well-founded since the ordinals are well- 
founded and the lexicographic and multiset extensions preserve the well-foundedness. 
It is compatible with — > by definition of the interpretation for constant predicate 
symbols. ■ 

We check hereafter that the accessibility relation is correct : an accessible sub- 
term of a computable term is computable. Then we check that the ordering on 
arguments if also correct : if Zj >2 Uj and Zj is computable then Uj is computable 
and has an order smaller than the one of /«. 

Lemma 134 (Correctness of accessibility) If t : T t>1 u : U, T b tp : Tp, 

a : r -» A and Ah to G [rbTp] Aj(T) £ then r b up : Up and A b ua G [rb [/p] Aj(Tif . 

Proof. By definition of >£, we have t of the form c(u) with c a constructor of 
type (y : U)C(v), Tp = C(v)jp where 7 = {y 1— > u}, it = Uj with j G Acc(c) and 
f/p = Uj^fp. Assume that tc = (x : T)*. Then, [r b C(v)jp}A,a,^ = ^Ahc(o) with 
aj = Ah«j7/9cr if X{ G A"*, and dj = (A bumper, Sj) where = [rb Vj7p] A)(T) £ if x i G 
By definition of I AhC , Ahti j( j G [T c b E/^a^,? with, for all Y G FV D (£/,-)> 
= S LY = [rh V7/) ] A ,^. By (16), *v = y and yf = [rhy 7 p] AiCTi5 . Prom 
r h tp : Tp, by inversion, we deduce that, for all i, T b u^p : t/j7p. Therefore, 
7P : T c — > T. Hence, by candidates substitution, [T c b t/j] A)7 p CT ,£' = P b ?7j7p] A , CT ,£ 
and Abncr G [rbC/pl Aj(Ti5 . ■ 

Lemma 135 (Correctness of the ordering on arguments) Assume that t : T 
>2 u : U, that is, that t is of the form c(i) with c a constructor of type (x : T)C(v), 
u of the form xu with x G dom(ro), xFq of the form (y : U)D(w), D =c C and 
t : T (>£)+ x : V with Vp = xTq. 

Let 9 = {y ^ u}. If T b tp : Tp, cr : T -> A, A b tcr G [r b Tp] A)(T)C 
and, for all i, Ah u^cr G {T h ET^Ia,^, then A h xouo G [T h D(w)9} A ,a£ and 
o(Ahto-) > o(Ahxo-UCr). 

Proof. Let p be the path from t to x followed in t : T (l>2) + x ■ V ■ We 
show that if p = ji...j n jn+i then c(t) : C(v)j = c (t°) : C (-u°)7o c i(^) : 
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Ci^hi >g ... c n {t n ) : C„(^) 7 n >^ a; : V with, if r Ci = (£* : f*)C(^) and 
7i = {£* i-> ?} : 

- for all i < n, c i+1 (?+ 1 ) = t) i+1 , Tj i+1 = C i+1 (^ +1 ) and ^+ 1 7 iP = J+H+iP, 

- T" +i = (y : U)D(w') and wJ' 7n = w. 

We proceed by induction on n. If n = 0, this is immediate. So, assume that 
c(t) : C(tf) 7 > p 2 t n j. T nlQ (>£)+ x : V. Since t h : T jll0 (>£)+ x : V, ^ = Cl (?) 
with r ci = (x 1 : T 1 )Ci('U 1 ) and T^jop = Ci(v 1 )'jip where 71 = {x 1 1— > t 1 }. By 
definition of >£, 1^ is of the form (z : V)C[(w 1 ). Therefore, \z\ = 0, C[ = C\ 
and t? 1 7o/> = v lr y±p. Hence, we can conclude by induction hypothesis on tj 1 : 
T nl (> p 2 )+ x:V. 

Since we are in an admissible inductive structure (A2), we can say that C >jr 
C\ >p . ■ ■ >f C n > D. Since D =jr C and >jr is well-founded, we get C =jr C\ 
...=tD. ' 

Let w n+ \ = t\ p u, W n+ \ = D(w)6 and, for all i < n, wi = t\j 1 ,,,j i and W{ = 
Cj(u i )7j. We show by induction on n that, for alH < n + 1, Ahu/j<7 G [TI-WJa^ 
and, for all i < n, o(A\-Wi<j) > o(A\-Wi + \o). 

• Case n > 0. c(i) : C(u) 7 : ^j'i7 ( l> 2) + x : ^- By hypothesis, we have 
T h c(t)p : C(v)~fp and A h c(i)<7 G [r h C(t7) 7 p]A,<T,£- By correctness of the 
accessibility relation, T h ^p : T J1 7p and A h i^cr G [r h 2ji7p]A,<r,£- Since 
Tj x 7p = Ci(-C 1 )7ip and Ci =j? C, o(A h icr) > o(A h i^cr). Hence, we can 
conclude by induction hypothesis on tj 1 : Ij l7 . 

• Case n = 0. c(i) : C(v)j > 2 x : V. Like in the case n > 0, we have A h 
xd G [T h Vp]A,cr,f- Moreover, we have Vp = (y : U)D(w). Let m = |u| 
and 6*fc = {yi 1— > u±,...,y k 1— > tifc}- We prove by induction on < m that 
A h xa ma . . . u k a G [r h (y k+l : U k+1 6 k ) . . . (y m : U m 6 k )D(w)6 k } Aj(T £ and therefore 
that o(Ahta) > o(Aht'a). 

If k = 0, this is immediate. So, assume that k > 0. By induction hypothesis, 
A h xo-uio- . . . Mfc_icr G [r h (y k : U k 0k~i) ■■■(ym- U m 6 k -i)D(w)9k-ijA,a,^- Since 
A h n fc (T G [r h J7jfc6» fe _i]A, CT ,e, we have Ahxa u x o . . . u k a G [r, y k : U k 0k-i ^ (yk+l ■ 
Uk+i0k-i) ...(y m : U m 0k-i)D(w)0k-i}A,<r',£' where a' = a U {y k ^ u k a}, £' = £ if 
j/jt G Af* and £' = £ U {y k ^ [rhu^lA,^} if Vk £ A* - Hence, by candidates sub- 
stitution, [r,y fe : [/ fc 6» fe _i h (y k+1 : c7 fc+1 6l fc _i) . . . (y m : U m 9 k _i)D(w)e k _ij A y^ = 
[r h (y k+1 : U k+1 6 k ) ...(y m : U m 9 k )D(w)e k \ A ^. ■ 

8.6 Interpretation of defined predicate symbols 

We define the interpretation J for defined predicate symbols by induction on >- w.r.t. 
hypothesis (A3). 

Let F be a defined predicate symbol and assume that we already have defined an 
interpretation K for all the symbols smaller than F. Let [F] be the set of symbols 
equivalents to F. We defined the interpretation for [F] depending on whether [F] is 
primitive, positive or recursive. 

To make the notations simpler, we will denote [rhT]^^ 17 by [rhT]^ g ^. And 
for the arguments of the interpretation, we follow the notations used in the previous 
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section. 

8.6.1 Primitive systems 

Definition 136 For every G G [F], we take Ja\-g = T A i-g- 

8.6.2 Positive, small and simple systems 

Let J be the set of the interpretations for [F] and < the relation on J defined by 
J < J' if, for all G G [F] and A G E, Jai-g <AhG J A \-G m Since (7^ai-g> <ai-g) is a 
complete lattice, it is easy to see that (J7", <) is also a complete lattice. 

Definition 137 Let if) be the function which, to J G J, associates the interpreta- 
tion tp J defined by : 

I rhr lA„,^ if ^ WJ ^ n cn ' **i= ^ and ( G (0 r, r,p) € ft 



V>Ahc(«) 



T A„hG(t) otherwise 



where, for all X G FV n (r), A£ = S Kx \ An . Hereafter, we show that ip is monotone. 
Therefore, we can take Jai-g = HpWOahg- 

Lemma 138 i\) J is a well defined interpretation. 

Proof. By simplicity, at most one rule can be applied at the top of G(t[). The 
existence of kx is the smallness hypothesis. By (S4), if t = la then a : T — > A n . 
Moreover, £ is compatible with (a, V, A n ) since, for all X G FV D (r), A£ = S Kx \ An G 
^-A„hX CT since S Kx G 7?-a Kx h Kx and, by smallness, t Kx = l Kx a = Xa. 

We now show that is an interpretation for [F]. After Lemma 121 (b), |Fb 
r l J A n ,*,t; G ^A„hr ff = K AnhF& . Moreover, T AnhF& G ^ A?l hF(t)- Thus we are left 
with proving the properties (PI) to (P3). 

(PI) Assume that t -> ?. By (Al), -> is confluent. Therefore, {t} C WAT iff 
{?} C WA", and if {t} C WA" then t{= ?L So, ^i hG (a) = Vahg(«0- 

(P2) Assume that A n C A' G E. After Lemma 121 (d), [T h r] An ^| A ' = 
I rhr lA',<x,c| A ,- Moreover, T AnhF(P) \ A , = T A , hF(F) . Therefore, ^ hG (a)| A ' = 
?/> A ,i_ G (a). Now, assume that A& C A^ G E. Let a' k = A' k h i& if G A"*, 
and a' fe = (A' fc h t k , S k \ A > k ) ii x k G A" . Then, ip AhG (ai, . . . , a k -u a k )\ A ' k and 
^ A i_ G (ai, . . . , a k -\, a' k ) have the same domain and are equal. 

(P3) V'ai-gIa' and ipA'hG have the same domain and are equal. ■ 

Lemma 139 tp is monotone. 

Proof. As in Lemma 129. ■ 

8.6.3 Recursive, small and simple systems 

Let G G [F] and A G E. To a sequence of arguments a for Jai-g j we associate 
the substitution = {x i— > i} : r G — > A n and the assignment £ = {x i— > <5| An } 
compatible with (^,T(3,A n ). Let P the set of sequences a such that (6, Fq, A n ) is 



8.7. CORRECTNESS OF THE CONDITIONS 



113 



valid w.r.t. £. We equip V with the following well-founded ordering : a □ a' if 
Definition 140 We define Jai-g(o) by induction on □ : 



^Ahc(a) 



[rl " r,A ».^ lf and (G(l) —> r, T, p) G 7?. 



T A„hG(t) otherwise 



where, for all X £ FV n (r), X£ = S Kx \ An . 

Lemma 141 J is a well defined interpretation. 

Proof. By simplicity, at most one rule can be applied at the top of Git [). The 
existence of kx is the smallness hypothesis. By (S4), if t = la then a : T — > A n . 
Moreover, £ is compatible with (a, T, A n ) since, for all X G FV n (r), X£ = S Kx jA n G 
T^A n \-Xa since S Kx G ^A Kjf ht Kx and, by smallness, t Kjf = / Kx ct = Xo\ 

The well-foundedness of the definition comes from Lemma 147 and Theorem 146. 
In Lemma 147 for the reductibility of higher-order symbols, we show that, starting 
from a sequence a G V, it is possible to apply Theorem 146 for the correctness of the 
computable closure. And in this theorem, we show that, in a recursive call G'(a!) 
(case (symb = )), we have a □ a'. Since □ is compatible with — a □ a'j. 

Finally, to make sure that J is an interpretation, one can proceed as in the case 
of a positive system. ■ 



8.7 Correctness of the conditions 

Definition 142 (Cap and aliens) Let £ be an injection from the classes of terms 
modulo ^* to X. The cap of a term t w.r.t. a set Q of symbols is the term 
capg(t) = t[xi] Pl . . . [x n ] Pn such that, for all i : 

- t\ Pi is not of the form f(t) with / G Q, 
-Xi = C(t\ Pi )- 

The t\ Pi 's are the aliens of t. We will denote by aliensg(t) the multiset of the aliens 
oft. 

Lemma 143 (Pre-reductibility of first-order symbols) Let / G T\ and i be 

terms such that f(i) is typable. If the ti's are strongly normalizable then /(t) is 
strongly normalizable. 

Proof. We prove that every immediate reduct t' of t = f(P) is strongly normal- 
izable. Hereafter, by cap, we mean the cap w.r.t. T\. 

Case 1Z U ^ 0. By induction on (aliens (t),cap(t))\ ex with ((— ► U >) mu i, —>iii)icx 
as well-founded ordering (the aliens are strongly normalizable and, by (f), is 
strongly normalizing on T(J-i, X)). 

If the reduction takes place in cap(t) then this is a 7?.i-reduction. By (c), no 
symbol of T w occurs in the rules of IZi. Therefore, cap(t) — ^ cap(t'). By (d), the 
right hand-sides of the rules of 1Z\ are algebraic and, by (e), the rules of TZ\ are non 
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duplicating. Therefore, aliens(t) > mu i aliens(t') and we can conclude by induction 
hypothesis. 

If the reduction takes place in an alien then aliens(t) (— > U >) mu i aliensit') and 
we can conclude by induction hypothesis. 

Case TZuj = . Since the ij's are strongly normalizable and no /3-reduction can 
take place at the top of t, t has a /3-normal form. Let (3cap(t) be the cap of its (3- 
normal form. We prove that every immediate reduct t' of t is strongly normalizable, 
by induction on (flcap(t),aliens(t))\ ex with (— * UD>) mu i)i ex as well-founded 
ordering (the aliens are strongly normalizable and, by (f), — ^ is strongly normal- 
izing on T(Ti,X)). 

If the reduction takes place in cap(t) then this is a 7^i-reduction. By (d), the 
right hand-sides of the rules of IZi are algebraic. Therefore, t' has a /3-normal form 
and (5cap{t) — ^ (3cap(t'). Hence, we can conclude by induction hypothesis. 

If the reduction is a /3-reduction in an alien then (3cap(t) = f3cap{t') and aliens(t) 
(— > U>) mu i aliensit'). Hence, we can conclude by induction hypothesis. 

We are left with the case where the reduction is a 1Z\ -reduction talking place 
in an alien u. Then, aliens{t) — > mu i aliens(t'), (3cap(t) — >^ (3cap(t') and we can 
conclude by induction hypothesis. To see that (3cap(t) — ^ j3cap(t'), it suffices to 
remark the following : if we /3-normalize u, all the residuals of the 7^-i-redex are still 
reductible since, by (c), no symbol of T w occurs in the rules of ■ 

Theorem 144 (Strong normalization of — The relation — ^ U — ^ is 
strongly normalizing on typable terms. 

Proof. By induction on the structure of terms. The only difficult case is f(t). 
If / is first-order, we use the Lemma of pre-reductibility of first-order symbols. If / 
is higher-order, we have to show that if t G SAT and f{t) G T then t = f(t) G SM 
where Sj\f means here the strong normalization w.r.t. ^n=^Tli U -^Tl w - 

We prove that every immediate reduct t' of t is strongly normalizable by induc- 
tion on (f,w(t),t,t) with (>jr, (>N)stat/,(>U -^n)statf, (^^)icx)icx as well-founded 
ordering where ro(t) = if t is not of the form g(u) and ro(t) = 1 otherwise. Assume 
that t' = /(?) with ti t'i and, for all j / i, tj = t'-. Then, t ( — >7^)iex P and 
w(ti) > wifj) since if ti is not of the form g{u) then t\ is not of the form g(u) either. 

Assume now that there exists /(/) — > r G 1Z W such that t = la and = ra. 
By (a), r belongs to the computable closure of I. It is then easy to prove that 
ra is strongly normalizable by induction on the structure of r. Again, the only 
difficult case is g(u). But, either g is smaller than /, or g is equivalent to / and 
its arguments are smaller than I. If /j >i Uj then /j > Uj and FV(uj) C FV(Z,). 
Therefore lia\>uja and m{lia) = 1 > w(uja). If now /j >2 Uj then Uj is of the form 

and w(lia) = 1 > w(uja) = 0. ■ 

Lemma 145 (Reductibility of first-order symbols) Let / G T\, Tf = (x : 

f)U, A G E, 6 : T f -> A and ^ compatible with (6»,r/,A). If (6>,r/,A) is valid 
w.r.t. £ then Ah/(£fl) G [T/ h C/] A ,e, ? . 

Proof. Let U = xfi and t = /(t). If / is not a constructor then t is neutral and 
it suffices to prove that, for every immediate reduct t' of t, A hi' G [Tf h £7]a,0,£- 
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If / is a constructor then U = C(v) and [Tf h £/"]a,0,£ = ^Ahc(a) where = 
Ah«jfl if Xi G X* and a, = (Ah^,^) with S[ = {T f h ^] A ,0,£ if G Af°. Let 
j G Acc(/). Since 9 is valid w.r.t. £, Ahij G Jr^ h 7j] A ,0,£- Therefore, in this case 
too, it suffices to prove that, for every immediate reduct t' of t, A hi' € fTf h C/"]a,0,£- 

For first-order symbols, f7 = *or £7 = C(v) with C a primitive constant predicate 
symbol. Therefore [T/I-C/]a,6»^ = §Nai-[/0 an d it suffices to prove that every imme- 
diate reduct t' of t is strongly normalizable. This is the Lemma of pre-reductibility 
of first-order symbols. ■ 



Theorem 146 (Correctness of the computable closure) Let / <G J 7 , Tf = (x : 

f)U, R = (/(/") -> r, r , p) G K, 70 = {x ^ I}, A G E, a : T -> A and £ compatible 
with (cr, To, A) such that : 

• (<7, To, A) is valid w.r.t. £; 

• for all i, AhZjcr G [T \-Ti^ pj A ^; 

• for all c/ < r f, if Tg = (y : U)V, A' G E, 0' : V -> A, £' is compatible with 
(0',r ff ,A') and (0',r fl ,A') is valid w.r.t. then A'h 5 (y)0' G [r 5 h F] A , ^ eu , 
whenever (/, A, 7o a, □ (<7, A', 9', £')■ 

If r ,r h c t : T, A C A' G E, a' : T -> A', f is compatible with (cr',r,A') and 
(a',T, A') is valid w.r.t. then A'hW G [T , T\-T\& taa > where f" = £| A ' Uf'. 

Proof. By induction on T' h c t : T (r' = r ,r), we prove : 

(a) A'hW G [r'hTjAV^", 

(b) if t i O and t -> f then [FRIa^,^ = [r'^'lA',™'^''- 
(ax) r h c * : □ 

(a) A'h*G [r hn] AVi5 | A , =SN A 'hn- 

(b) ★ is not reductible. 



(symb < ) 



T hr g : s V h c m : Uij . . . V h c u n : U n j 



V h c g(u) : F 7 

(a) By induction hypothesis, A' h Uioa' G {V h f/i7]A',<T<r',£"- By candidates 
substitution, there exists such that [T' h £/z 7 ]a,0,£ = [T 9 h C/jA',70-0-',^'" 
and [r" h V7]a,0,£ = [T 9 h ^]a', 7CT <t',£'"- Hence, (70-cr', T 9 , A') is valid w.r.t. 

and, by hypothesis on g, A'\-g(y)^aa' G [r ff hF] A ', 70 -a',e"- 

(b) We have [P* h g(u)}A',crcr',£" = ^A'ha(a) with = A' h u^crcr' if y« G X*, et 
aj = (A' h Uiaa', Si) where Si = [P h Ui]A',<T<r',£" if ?/? G <^ n - There is two 
cases : 

- Ui — > u'i. We conclude by (PI). 

- u = fa" and (g(?) -> r',T",(/) G ft. Let ct w = a'W. By (A3), there is 
two sub-cases : 

• g belongs to a primitive system. Then 1/s.n-g = ~^A'\-g and |T" h 
5(^)]a',o-(t'^" = AhgQ'a'") = T AhrV" • By candidates substitution, there 
exists such that [fhrVjA',™ 1 ^" = [r // hr / ]A',CT'",^" / - Moreover, r' is 
of the form [x : T]g'(u)v with g' ~ g or g' & primitive constant predicate 
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symbol. If g' ~ g then lA'hg' = ~^A'hg'- If d' is a primitive constant pred- 
icate symbol then, after Lemma 130, lA'hg' = ~^A'\-g'- Therefore, [r" h 
r'jA', a'",?" = T A i\-r'a>" and \F"r g{j! o")}^' ,aa' = fhrVjAVa'^"- 
• g belongs to a positive or recursive, small and simple system. 
Since A'hiiicra' G [r' h ^7]a',o-o-',^" Q Sftf, by (Al), Uioa' has a normal 
form. By simplicity the symbols in V are constant. Therefore tiicra' is 
of the form fa'" with a"aa' — >* a'" . By simplicity again, at most one 
rule can be applied at the top of a term. Therefore //yi-g(o) = P" l~ 
with, for all X G FV D (r'), X?" = S Kx = {V '\-l Kx o"\u ,„*' • 
By smallness, l Kx = X. Therefore X£'" = {F' h Acr"]^™'^" and, by 
candidate substitution, [r"hr / ]A',o-"'^"' = [T'l-rVjA'^o-'^"- 

rn b r : s r' h c ui : [/17 . . . F' h u n : U n ^f ,-, -, , 
(symb^, JL£-S r , hcg(g); V 7 (I : ^„ > 3 : CT,) 

(a) Like in the previous case, we have (jaa', F g , A') valid w.r.t. Let us prove 
that (/, A,7o<r, £) □/ (g, A', jaa', £'"). To this end, it suffices to prove that, 
if li : Tj7o >i Uj : Uj^ then liO \> Ujaa', and if k : T^q >2 Uj : Uj^f then 
o(AHicr) > o(A'^u j aa'). 

Assume that k : Tj7o >i Uj : Ujj. Then, li > and FV(itj) C FV(Zj). 
Therefore, Zjcrcr' = ZjU [> Ujaa'. 

Assume now that li : T^q >2 u.,- : Ujj. By definition of >2, we have Uj = xv, 
x G dom(ro), xFo = : V)W. Let S = {? h {7}. By correctness of the 
ordering on the arguments, it suffices to check that : 

(1) r' h kp : Ta p, 

(2) A'hkaa' G [r'hT^opWa',*:", 

(3) for all fc, A'hv k aa' G [r'h^0] AW , e ». 

Indeed, from this, we can deduce that o(A' h kacr') > o(A' h Ujaa'). But 
/j<T = Zjcro"' and o(Ah/jO") > o(A'l-/j<7). 

(1) By definition of a well-formed rule, To h /(/)p : U^/op. Therefore, by 
inversion, To h Z^p : T^p. Since To C r' G E, by weakening, F' h Zj/9 : T^p. 

(2) By hypothesis, A h ZjU G [To H Tj7op]A,o-,£- But ^acr' = Zjcr and \Fq h 
Ti70/5lA',<7<7',5" = [rol~7i7op]A',<T,$| A , = [rol-7i7op]A,<7,f|A'- 

(3) By hypothesis, we have T' hj x?7 : ?7j7- Let g = By inversion, there 
exists V' and W' such that T' h c xv 1 ...v q - 1 : (x q : V q )W q , V h c v q 
Vg and W' q {x q i-> v 9 } Cf, C/j7 and, for all /c < g — 1, r" \- c xv\...v k 
(xk+i ■ Vk+i) W k+v r ' '"c v k+ i : Vl +1 and W' k+1 {x k+ i i-> Cf, (x fc+2 
V^, 2 ) Wfc +2 - Hence, by induction hypothesis, for all fc, A' h v k aa' G [r' h 
VfclAVa'^"- We now show that Cf, V^6>. Let Wjt = (z fe+ i : V^+i) ■ ■ ■ (z q ■ 
V q )W and 9 k = {z\ i— > uj, . . . , i— > ffc_i}. We prove by induction on 
that Cf, Vfe6» fc _i and W^{x fc ^ Va ,} Cf, W k 6 k . 

- Case fc = 1. Since (z : Cf, (xi : V[)W[, by product compatibility 
and a-equivalence (we take xi = z±), V{ Cf, V\ and W[ Cf, y, H^i. 
Therefore, W{{ Xl ^ «i} Cf, W^. 

- Case > 1. By induction hypothesis, we have W^^Xk-i > Vfe-i} Cf, 
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Wfc_i0 fc _i. But ^.^h h-> u fc _!} C*, (a* : and W fc _i0 fc _i = 

[z k '■ VkOk-i)Wk0k-i- By product compatibility and a-equivalence (we take 
Xk = z k ), V k ' C*, V k 6 k ^ and W' k C*,^, W fc fc _i. Therefore, W£{a* h-» 
Ufe } Cf, w k e k . 

In conclusion, A'hvfccrcr' G [r'h Vlj A ',aa',i" and V fc ' C£, V k k = V k 9. By 
(conv'), the types used in a conversion are typable. Therefore, we can apply 
the induction hypothesis (b). Hence, [F h VJ. / ]a',<t<t / ,$" = P' I - V^^Ja' ,0-0-', £" 
and A'h^aa' G [FhF fc 0] A>CT ^. 

(b) Like for (symb < ). 

r H c xr : s 
(acc) — — — 

r \- c x : xr 

(a) Since (<r, To, A') is valid w.r.t. £| A /. 

(b) x is irreductible. 

r' h T : s 

(var) 



F,x:T hx:T 

(a) Car (aa',V, A') is valid w.r.t. f". 

(b) x is irreductible. 

r' h. t : T r'h r [/:s 



(weak) 



F,x:?7 h c t : T 

(a) By induction hypothesis, A' h tocr' G [F h T] A / )(T<T /^// = [r ,r,x : U h 

A', era', 

(b) Since x ^ FV(t), [r', x : f7 h t] A ' i(T(T ',£» = I r ' h *]av<7',£"- But, by induction 
hypothesis, lT'\-t} A ',aa'^" = IT' \~ t'\&' ,<j<t> £" ■ 

T',x:TY- c U : s 



(prod) 



F h c (x:T)U : s 

(a) We have to prove that A' h (x : Taa')Uaa' G [F h s] A ', CTCT ',£" = §NA'hs- By 
inversion, F h T : s'. By induction hypothesis, A'hTaa' G [F h s']a',<t<t',£"- 
We now show that Uaa' G SAf. We can always assume that x ^ dom(A'). 
Then, aa' : F,x : T -> A" where A" = A,x : Tatr' . Let f" = £"| A " if 
x G AT*, and = £"| A » U {x ^ T A »hi} if x G A' . Then, is compatible 
with (crcr'jFjX : T, A") since, if x G A' n then x£ w G 7^A"ha; = T^-A'hxaa' 
and, for all X G dom n (r'), X£ w = G TZ A 'hXaa' since £" is compatible 
with (cro"', T', A'). Moreover, (cro - ', F, x : T, A") is valid w.r.t. since, by 
Lemma 115, A" h xctcj' = A" h x G [F,x : T h T] A » ^z^,/. Therefore, by 
induction hypothesis, A" h [/era' G [F, x:T\- s'\ A n ^1 = §N A »hs'- 

(b) There is two cases : 

- T -»• F. We prove that [F h (x : T)[/] A ', CTCT ',£" C [F h (x : T')Uj. The 
other way around is similar. Let A" hue [F h (x : T)U}a> ,aa' , l~~ 
i G [Fhr'] A // aa i gwi „ and cr" = oV U {x i-> i}. By induction hypothesis, 
[r' h 21a»^,V'U„ = F' h 3 v ]a»^,C"| a »- Therefore, A'" h i G [F h 
r] A »,^,e'| A ^ A '" h «< € I r '> x :T\- l7]A'" )ff " 1 c»| A „, and A" h u G [F h (x : 



118 



CHAPTER 8. CORRECTNESS OF THE CONDITIONS 



(abs) 



-U -» U 1 . We prove that \T' h (x : T)U} A , C p' h (x : T)t7']. The 
other way around is similar. Let A"\~u G p' h (x : T)?7]a',<7(t',$", A w ht G 
[r' hT] AW>ff(7 , if | 4 „ and cr" = aa' U {x ^ t}. Then, A'" hut G [T',x : Th 
^Wv^'V- B y induction hypothesis, p', x : Th t/] A »', CT » £»| A ,„ = P',^ : 
Th[/'] A ,'WV»- Therefore, A" h tit G p', x : T h £/'] A » W V" and 
A"hnGlr'h(x:T)f/'] A ,^ r . 

r',x:Tr- c u : [/ r' h c (x:T)U : s 



T' h c [x:T]u : (x:T)U 

(a) Let T" = T',x : T. We have to prove that A' h [x : Taa']uaa' G p' h (x : 
^C/Ia',^'^"- Let A" h / G p' h T] A ', CTCT ', $ » and 5 G ft A »ht if a; G X D . 
Let a" = aa' U {x ^ t}, £'" = £"| A " if z'e and £"' = f"| A « U {x i-> 
S} if x £ X D . We have a" : T" -» A", £'" compatible with (a", r", A") 
and (a",T",A") valid w.r.t. £". Therefore, by induction hypothesis, A" h 
uc" G i? = p" h ?7]a",<t",£"'- Then, for proving that v = [x : Tat/jitac' t G 
i?, it suffices to prove that Taa',uaa' G Sftf. Indeed, in this case, it is 
easy to prove that every immediate reduct of the neutral term v belongs 
to R by induction on (Taa' ,uaa' , t) with ^i ex with well-founded ordering. 
By induction hypothesis, we have A' h (x : Taa')Uaa' G p' h s]a',ctct',£"- 
Therefore, Tea' G <SAA. Finally, if we take t = x, which is possible after 
Lemma 115, we have seen that, by induction hypothesis, ua" = uaa' G SJ\f. 

(b) There is two cases : 

- T -> T'. Since T A 'hiw = T A 'ktw, P' h [x : T]u\ A ,, aa ,£, and [r' h [x : 
T'\v\ have the same domain and are equal. 

- u — ► v! . Let A"ht G Ta'ktw, G ft A "K if x G cr" = oV U {x ^ f}, 

= £"| A „ if x G X* and = £"|a" U {x i-> 5} if x G By induction 
hypothesis, [r',x : T h u] A ",er",£'" = P', x : T h u'Ja'VV"- Therefore, 

[r'h[x:r]«] A ',^, r = p'h[x:fK]Av ( T^£»■ 
^ / h c t : (x:C/)y r h c u ■. u 

r' h c tu : V{x i-> 

(a) By induction hypothesis, A'r-tcrcr' G [r' h (x : U)V}A',aa',£" and A'hucro"' G 
p' h J/Ja',^'^"- Let 5 1 = [r' h uJa'vo'A'' if x G Then, by definition 
of p' h (x: U)V} A ,, aa/ £,, A' h too' uaa' G R = p', x : [/ h F]av",£"' where 
a " = aa' u {x i-> ucrV}', = f" if x G -Y*, and £'" = f " U {x ^ 5} if x G Af D . 
By candidates substitution, R = [fhyji i— > u}jA',o-0-',f"- 

(b) There is three cases : 

- t — > t'. By induction hypothesis, P'htjA',^'^" = P' l~t']A',o-o-',§"- There- 
fore, [r'htn]A', CT(J ', f » = [r'ht] A) ^^(A ; hW,[r'hn] A ,^^) = p'h 
t'KA'hWjr'htj]^^^) = ir'\-t'u} A >,ao>,z"- 

- u —* vf. By induction hypothesis, p' h ?x]a',<t<t',^" = P' h u 1a',ctct',^"- 
By (PI), [T' h t](A' h ncrcr', [r' h n] A ',^^) = P' h i](A' h uVa'', p' h 
«']A',<T<T',f")- Therefore, [r'l-tu] A / j<T<7 /^// = [r'htu'jA',^'^"- 

- t = [x : C/'jv and t' = v{x t— > n}. Let cr" = {x i— > u}aa' and = 
^" U{m p' h u]a',ctct',^"}- By candidates substitution, p' h t'] A ',(T<T',£" = 
p',x : {/' h v]a',o-",^'"- On the other hand, p' h te] A ', o-o-',g" = P' l~ 
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(conv) 



t}A',aa',("(^' I" uaa', p' h u]A',<T<T',e") = I r '> x : ^ h u ]a',<t<t'U{x.-W},£" 
jr', x : U'vA',a",£'"- 

T'h c t:T T' h c T : s TIT' T'h c T' : s 



T> h c t : T' 



(a) Let [/ be the common reduct of T and T". By induction hypothesis, A' h icrcr' G 

[r' h tJa',0-0-',^", [r'hr] A>(r ^« = p'r-t% VCT ^ and [r'hr'] A>ffI)f = 

P' h CIa'.^.c- Therefore, |T' h T] A>CT ,^ = p' h T'] A> ^» and A' h 
taa' G [r'hT"] A;>ffff ^». 

(b) By induction hypothesis. ■ 



Lemma 147 (Reductibility of higher-order symbols) Let / G J^, t/ = (x : 

f)U, A G E, 9 : T f -> A and f compatible with (0,r/,A). If (0,1/, A) is valid 
w.r.t. i then Ah/(x)0 G \T f \-U] AM . 

Proof. By induction on ((/, A, 9, £),x*9) with (□, — >)i ex as well-founded ordering. 
Let t{ = X{9 and t = f(t). Like in the Lemma of reductibility of first-order 
symbols, it suffices to prove that, for every immediate reduct t' of t, A hi' G p/ h 

If the reduction takes place one U then we can conclude by induction hypothesis 
since reductibility candidates are stable by reduction (R2) and □ is compatible with 
the reduction. 

Assume now that there exists a rule (I — ► r, To, pj and a substitution a such that 
t = la. Assume also that I = f(l) and 70 = {x 1— > /}. Then, 9 = 7o<r. By (S5), for 
all Xi G FV D (TJ7), ^700" | xaopa. 

We prove that {T f h f7] A ,<^ = P/ h E%, 7oP ^ and p/ h T^,^ = p/ h 
^i]A,7o/wr,f ■ By (S4), a : To — > A. By definition of a well-formed rule, To H //> : 
C/70P. Therefore, by inversion, 70/? : Tf — > To and 7opcr : T/ — > A. We now prove 
that £ is compatible with (7opcr, Ty, A). Then, after Lemma 121 (c), [r^r-C/] A) ^ = 
[r/hC/] A!T0 ^ and p/hT;]^ = iTfhTilA^p^. Let ar< G FV D (f[7). Since 
£ is compatible with (700", Tj,A), Xj£ G TZ^ xaQ(7 . Since Xi7ocr J, x^opa, after 
Lemma 114 (b), Xj£ G TZ Ahxaopa . 

We now define £' such that p/ h £7] A , 7oP o-,£ = po h £/7op]a,ct,£' and p/ h 
^]a, 70 p<x, 5 = [r HT i7 op]A, CT ,e- Let y G dom D (r ). By (b), for all X G F\ D (fU), 
X-/ p G dom n (r ) and, for all A, X' G FV D (f[7), A 7o p = A'7 0/ 9 implies X = X' . 
Then, if there exists X (unique) such that Y = A 70/5, we take Y£' = A£. Oth- 
erwise, we take Y£' = Ta\-Yo- We check that £' is compatible with (a, To, A). 
Let y G dom D (r ). If Y = Xj p then Yg = A£. Since £ is compatible with 
(7opcr, r , A), A£ G 7lAhX 7 op<7- Since X^p = Y, Yg G TlAhY*- Finally, if Y ^ 
X70/5, Y£' = TAhYo- G HatYo- Therefore, £' is compatible with (a, To, A). By can- 
didates substitution, there exists £" such that po I - ?77op]a,<t,£' = {Tf h C/] Ai7o p CT ,^" 
and, for all X G dom n (r/), A£" = po^ A7 p] A)(7 ^. If A G FV D (f?7) then, by (b), 
X 7o p = y G dom n (r ) and A£" = yf = A£. Since f" and £ are equal on FY D (U), 
{T f h U}a,top*,z" = P/ H E/]a,7op*,£- Hence, p/ h l^a,^^ = Po H ^7oPlA,<7,e'- 
The proof that p/ HTi] A , 70p(T ^ = Por-TiToPlA,^' is similar. 
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We now prove that (<t,Tq,A) is valid w.r.t. By definition of the General 
Schema, (I — > r, To,p) is well-formed : To h f(l)p ■ Ujop, dom(p) n dom(To) = 
and, for all x G dom(ro), there exists i such that Zj : T^q (>^)* x : xIV By 
inversion, To h kp : T^p. Since A h /jC G To h 7i7op]A,a-,£') by correctness of 
the accessibility relation, A\- xa G [To H 2Top]a,<t,£'- Since dom(p) n dom(ro) = 0, 
xT p = xT and A\~xa G {T \- xT j A ,a^' ■ 

Hence, by correctness of the computable closure, A h ru G To h ^70/9] a <t£' = 

[171- ' ■ 

Lemma 148 (Reductibility of typable terms) For all T h t : T, A G E, 9 : 

r -> A, £ compatible with (6>,T,A), if (0,r,A) is valid w.r.t. f then Aht6» G [Th 

Proof. By induction on T h t : T. We proceed like in the Lemma of correctness 
of the computable closure but in the case (symb) where we use the Lemmas of 
reductibility of first-order and higher-order symbols. ■ 

Theorem 149 (Strong normalization) Every typable term is strongly normal- 
izable. 

Proof. Assume that r h t : T. Let 9 be the identity substitution. This is a 
well-typed substitution from T to T. Let £ be the candidate assignment defined by 
X£ = T rhX - L is compatible with (9, T, T) since, for all X G dom D (r), X£ G K T \-x- 
Finally, (9,T, T) is valid w.r.t. £ since, for all x G dom(r), r h x G [T h xrjp^^. 
Therefore, after the Lemma of reductibility of typable terms, r h t G [r h T]a,0,£ 
and, since [rhT]A,e,g Q SM, t is strongly normalizable. ■ 



Chapter 9 

Future directions of research 



In this section, we enumerate, more or less by order of importance, some of our strong 
normalization conditions that we should weaken or some extensions that we should 
study in order to get more general conditions. All these problems seem difficult. 

• Rewriting modulo. In our work, we have not considered rewriting modulo 
some very useful equational theories like associativity and commutativity. It is 
important to be able to extend our results to this kind of rewriting. But, while this 
does not seem to create important difficulties for rewriting at the object level and 
we already have preliminary results in this direction, it is less clear for rewriting 
at the type level. 

• Quotient types. We have seen that rewriting enables one to formalize quotient 
types by allowing rules on "constructors". However, to prove properties by "in- 
duction" on such types requires knowing what the normal forms are [72] and may 
also require a particular reduction strategy [40] or conditional rewriting. 

• Confluence. Among our strong normalization conditions, we not only require 
rewriting to be confluent but also its combination with /^-reduction. This is a 
strong condition since we cannot rely on strong normalization for proving conflu- 
ence [95, 21]. Except for first-order rewriting systems without dependent types 
[28] or left-linear higher-order rewrite systems [92, 117], few results are known 
on modularity of confluence for the combination higher-order rewriting and (3- 
reduction. It would therefore be interesting to study this very general question. 

• Local confluence. We believe that, perhaps, local confluence is sufficient for 
establishing our result. Indeed, local confluence and strong normalization imply 
confluence. However, in this case, it seems necessary to prove many properties 
simultaneously like strong normalization and correctness of /3-reduction ( "subject 
reduction" ) , which seems difficult since many definitions rely on this last property. 

• Simplicity. For non-primitive predicate symbols, we require that their defining 
rules have no critical pairs between them or with the other rules. These strong 
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conditions allow us to define a valid interpretation in a simple way. It is important 
to be able to weaken these conditions in order to capture more decision procedures. 

• Logical consistency. In the Calculus of Algebraic Constructions, in contrast 
with the pure Calculus of Constructions, it is possible that symbols and rules 
enable one to write a normal proof of _L = (P : *)P. Strong normalization does 
not suffice to ensure logical consistency. We should look for syntactic conditions 
like the "strongly consistent" environments of J. Seldin [106]) and, more generally, 
we should study the models of the Calculus of Algebraic Constructions. 

• Conservativity. 1 We have seen that, in the Calculus of Constructions, adding 
rewriting allows one to type more terms. It is then important to study whether 
a proposition provable by using rewrite rules l\ — ► r±, ... can also be proved by 
using hypothesis l\ =t\, — This is another way to establish logical consistency 
and better understand the impact of rewriting on typing and provability. 

• Local definitions. In our work, we have considered only globally defined sym- 
bols, that is, symbols typable in the empty environment. However, in practice, 
during a formal proof in a system like Coq [112], it may be very useful to intro- 
duce symbols and rules using some hypothesis. We should study the problems 
arising from local definitions and how our results can be used to solve them. Lo- 
cal abbreviations have already been studied by E. Poll and P. Severi [101]. Local 
definitions by rewriting is considered by J. Chrzaszcz [29]. 

• HORPO. For higher-order definitions, we have chosen to extend the General 
Schema of J.-P. Jouannaud and M. Okada [75]. But the Higher-Order Recursive 
Path Ordering (HORPO) of J.-P. Jouannaud and A. Rubio [76], which is an 
extension N. Dershowitz's RPO to the terms of the simply typed A-calculus, is 
naturally more powerful. D. Walukiewicz has recently extended this ordering to 
the terms of the Calculus of Constructions with symbols at the object level [118]. 
The combination of the two works should allow us to extend RPO to the terms 
of the Calculus of Constructions with symbols at the type level also. 

• ^-Reduction. Among our conditions, we require the confluence of —>=—>ti 
U —>p. Hence, our results cannot be directly extended to ^-reduction, which 
is well known to create important difficulties [58] since — ^ is not confluent 
on badly typed terms. 

• Non-strictly positive predicates. The ordering used in the General Schema for 
comparing the arguments of the function symbols can capture recursive definitions 
on basic and strictly positive types but cannot capture recursive definitions on 
non-strictly positive types [88]. However, N. P. Mendler [90] has shown that such 
definitions are strongly normalizing. It would be interesting to extend our work 
to such definitions. 



1 We thank Henk Barendregt for having suggested us to study this question deeper. 
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